TclTLS: Diff

Differences From Artifact [f4a59d7949]:

File generic/tls.c — part of check-in [28d6418fa7] at 2023-09-24 20:12:17 on branch main — Moved definition of Append to List macros to tlsInt.h. Updated tls.c to use Append to List macros. (user: bohagan, size: 90229) [annotate] [blame] [check-ins using]

To Artifact [d77314704b]:

File generic/tls.c — part of check-in [78cf378796] at 2023-10-10 04:10:56 on branch crypto — Added hashes command to list OpenSSL supported hash digests. (user: bohagan, size: 94288) [annotate] [blame] [check-ins using]

︙			︙
442 443 444 445 446 447 448 ~~449~~ 450 451 452 453 454 455 456	cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("error", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); if (msg != NULL) { Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1)); ~~} else if ((msg = Tcl_GetStringFromObj(Tcl_GetObjResult(interp), ~~(Tcl_Size *)~~NULL)) != NULL) {~~ Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1)); } else { listPtr = Tcl_NewListObj(0, NULL); while ((err = ERR_get_error()) != 0) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(ERR_reason_error_string(err), -1)); }	\|	442 443 444 445 446 447 448 449 450 451 452 453 454 455 456	cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("error", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); if (msg != NULL) { Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1)); } else if ((msg = Tcl_GetStringFromObj(Tcl_GetObjResult(interp), NULL)) != NULL) { Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1)); } else { listPtr = Tcl_NewListObj(0, NULL); while ((err = ERR_get_error()) != 0) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(ERR_reason_error_string(err), -1)); }
︙			︙
549 550 551 552 553 554 555 ~~556~~ 557 ~~558 559~~ 560 561 562 563 ~~564~~ 565 566 567 568 569 570 571	} Tcl_DecrRefCount(cmdPtr); Tcl_Release((ClientData) statePtr); /* If successful, pass back password string and truncate if too long / if (code == TCL_OK) { ~~~~Tcl_Size~~ len;~~ char ret = (char ) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); ~~if (len > ~~(Tcl_Size)~~ size-1) { len = ~~(Tcl_Size)~~ size-1;~~ } strncpy(buf, ret, (size_t) len); buf[len] = '\0'; Tcl_Release((ClientData) interp); ~~return(~~(int)~~ len);~~ } Tcl_Release((ClientData) interp); return -1; } / *-------------------------------------------------------------------	\| \| \| \|	549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571	} Tcl_DecrRefCount(cmdPtr); Tcl_Release((ClientData) statePtr); /* If successful, pass back password string and truncate if too long / if (code == TCL_OK) { int len; char ret = (char ) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); if (len > size-1) { len = size-1; } strncpy(buf, ret, (size_t) len); buf[len] = '\0'; Tcl_Release((ClientData) interp); return(len); } Tcl_Release((ClientData) interp); return -1; } / *-------------------------------------------------------------------
︙			︙
611 612 613 614 615 616 617 ~~618~~ 619 620 621 ~~622~~ 623 624 625 626 627 628 629	cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("session", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); /* Session id / session_id = SSL_SESSION_get_id(session, &ulen); ~~Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewByteArrayObj(session_id, (~~Tcl_Size~~) ulen));~~ / Session ticket / SSL_SESSION_get0_ticket(session, &ticket, &len2); ~~Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewByteArrayObj(ticket, (~~Tcl_Size~~) len2));~~ / Lifetime - number of seconds / Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewLongObj((long) SSL_SESSION_get_ticket_lifetime_hint(session))); / Eval callback command */ Tcl_IncrRefCount(cmdPtr);	\| \|	611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629	cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("session", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); /* Session id / session_id = SSL_SESSION_get_id(session, &ulen); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewByteArrayObj(session_id, (int) ulen)); / Session ticket / SSL_SESSION_get0_ticket(session, &ticket, &len2); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewByteArrayObj(ticket, (int) len2)); / Lifetime - number of seconds / Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewLongObj((long) SSL_SESSION_get_ticket_lifetime_hint(session))); / Eval callback command */ Tcl_IncrRefCount(cmdPtr);
︙			︙
900 901 902 903 904 905 906 ~~907~~ 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934	servername = (const char )p; / Create command to eval / cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("hello", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); ~~Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername, (~~Tcl_Size~~) len));~~ / Eval callback command / Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) { res = SSL_CLIENT_HELLO_RETRY; alert = SSL_R_TLSV1_ALERT_USER_CANCELLED; } else if (code == 1) { res = SSL_CLIENT_HELLO_SUCCESS; } else { res = SSL_CLIENT_HELLO_ERROR; alert = SSL_R_TLSV1_ALERT_INTERNAL_ERROR; } Tcl_DecrRefCount(cmdPtr); return res; } /******************/ / Commands / /******************/ / ------------------------------------------------------------------- * CiphersObjCmd -- list available ciphers * * This procedure is invoked to process the "tls::ciphers" command * to list available ciphers, based upon protocol selected.	\| > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >	900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086	servername = (const char )p; / Create command to eval / cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("hello", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername, (int) len)); / Eval callback command / Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) { res = SSL_CLIENT_HELLO_RETRY; alert = SSL_R_TLSV1_ALERT_USER_CANCELLED; } else if (code == 1) { res = SSL_CLIENT_HELLO_SUCCESS; } else { res = SSL_CLIENT_HELLO_ERROR; alert = SSL_R_TLSV1_ALERT_INTERNAL_ERROR; } Tcl_DecrRefCount(cmdPtr); return res; } /******************/ / Commands / /******************/ / ------------------------------------------------------------------- * Hash Calc -- return hash hex string for message digest * * Results: * A standard Tcl result. * * Side effects: * None. * ------------------------------------------------------------------- / int HashCalc(Tcl_Interp interp, int objc, Tcl_Obj const objv[], const EVP_MD type) { char data; int len; unsigned int mdlen; unsigned char mdbuf[EVP_MAX_MD_SIZE]; unsigned char hashbuf[EVP_MAX_MD_SIZE2+1]; const char hex = "0123456789ABCDEF"; if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "data"); return TCL_ERROR; } data = Tcl_GetByteArrayFromObj(objv[1], &len); if (data == NULL) { return TCL_ERROR; } /* Calc hash, convert to hex string, and write to result / if (EVP_Digest(data, (size_t) len, mdbuf, &mdlen, type, NULL)) { unsigned char mptr = mdbuf; unsigned char hptr = &hashbuf[0]; for (unsigned int i = 0; i < mdlen; i++) { hptr++ = hex[(mptr>>4)&0xF]; hptr++ = hex[(mptr++)&0xF]; } hptr = 0; Tcl_SetObjResult(interp, Tcl_NewStringObj(hashbuf, mdlen2)); } else { Tcl_SetResult(interp, "Hash calculation error", NULL); return TCL_ERROR; } return TCL_OK; } / ------------------------------------------------------------------- * Hash Commands -- Return hash value for digest as hex string * * Results: * A standard Tcl result. * * Side effects: * None. * ------------------------------------------------------------------- / HashCmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) { int len; const char name; const EVP_MD type; if (objc != 3) { Tcl_WrongNumArgs(interp, 1, objv, "type data"); return TCL_ERROR; } name = Tcl_GetStringFromObj(objv[1],&len); if (name == NULL \|\| (type = EVP_get_digestbyname(name)) == NULL) { Tcl_AppendResult(interp, "Invalid digest type \"", name, "\"", NULL); return TCL_ERROR; } objc--; objv++; return HashCalc(interp, objc, objv, type); } /* * Command to Calculate MD4 Hash / int HashMD4Cmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) { return HashCalc(interp, objc, objv, EVP_md4()); } / * Command to Calculate MD5 Hash / int HashMD5Cmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) { return HashCalc(interp, objc, objv, EVP_md5()); } / * Command to Calculate SHA-1 Hash / int HashSHA1Cmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) { return HashCalc(interp, objc, objv, EVP_sha1()); } / * Command to Calculate SHA-256 Hash / int HashSHA256Cmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) { return HashCalc(interp, objc, objv, EVP_sha256()); } / ------------------------------------------------------------------- * Hash List Command -- Return list of hash message digests * * Results: * A standard Tcl result. * * Side effects: * None. * ------------------------------------------------------------------- / void HashListCallback(const OBJ_NAME obj, void arg) { Tcl_Obj objPtr = (Tcl_Obj ) arg; Tcl_ListObjAppendElement(NULL, objPtr, Tcl_NewStringObj(obj->name,-1)); } /* * Command to list available Hash values / int HashListCmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) { Tcl_Obj objPtr = Tcl_NewListObj(0, NULL); OpenSSL_add_all_digests(); //make sure they're loaded OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH, HashListCallback, (void ) objPtr); Tcl_ResetResult(interp); Tcl_SetObjResult(interp, objPtr); return TCL_OK; clientData = clientData; objc = objc; objv = objv; } / ------------------------------------------------------------------- * CiphersObjCmd -- list available ciphers * * This procedure is invoked to process the "tls::ciphers" command * to list available ciphers, based upon protocol selected.
︙			︙
1169 1170 1171 1172 1173 1174 1175 ~~1176~~ 1177 1178 1179 1180 1181 1182 1183	if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); return(TCL_ERROR); } ERR_clear_error(); ~~chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], ~~(Tcl_Size )~~NULL), NULL);~~ if (chan == (Tcl_Channel) NULL) { return(TCL_ERROR); } / Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {	\|	1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335	if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); return(TCL_ERROR); } ERR_clear_error(); chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], NULL), NULL); if (chan == (Tcl_Channel) NULL) { return(TCL_ERROR); } /* Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
︙			︙
1247 1248 1249 1250 1251 1252 1253 ~~1254 1255~~ 1256 1257 1258 1259 1260 ~~1261~~ 1262 ~~1263~~ 1264 1265 1266 1267 1268 1269 1270	Tcl_Channel chan; /* The channel to set a mode on. / State statePtr; /* client state for ssl socket / SSL_CTX ctx = NULL; Tcl_Obj script = NULL; Tcl_Obj password = NULL; Tcl_Obj vcmd = NULL; Tcl_DString upperChannelTranslation, upperChannelBlocking, upperChannelEncoding, upperChannelEOFChar; ~~int idx; ~~Tcl_Size len;~~~~ int flags = TLS_TCL_INIT; int server = 0; / is connection incoming or outgoing? / char keyfile = NULL; char certfile = NULL; unsigned char key = NULL; ~~~~Tcl_Size~~ key_len = 0;~~ unsigned char cert = NULL; ~~~~Tcl_Size~~ cert_len = 0;~~ char ciphers = NULL; char ciphersuites = NULL; char CAfile = NULL; char CAdir = NULL; char DHparams = NULL; char model = NULL; char servername = NULL; /* hostname for Server Name Indication */	\| < \| \|	1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421	Tcl_Channel chan; /* The channel to set a mode on. / State statePtr; /* client state for ssl socket / SSL_CTX ctx = NULL; Tcl_Obj script = NULL; Tcl_Obj password = NULL; Tcl_Obj vcmd = NULL; Tcl_DString upperChannelTranslation, upperChannelBlocking, upperChannelEncoding, upperChannelEOFChar; int idx, len; int flags = TLS_TCL_INIT; int server = 0; / is connection incoming or outgoing? / char keyfile = NULL; char certfile = NULL; unsigned char key = NULL; int key_len = 0; unsigned char cert = NULL; int cert_len = 0; char ciphers = NULL; char ciphersuites = NULL; char CAfile = NULL; char CAdir = NULL; char DHparams = NULL; char model = NULL; char servername = NULL; /* hostname for Server Name Indication */
︙			︙
1293 1294 1295 1296 1297 1298 1299 ~~1300~~ 1301 1302 1303 1304 1305 1306 1307 1308 ~~1309~~ 1310 1311 1312 1313 1314 1315 1316	if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?"); return TCL_ERROR; } ERR_clear_error(); ~~chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], ~~(Tcl_Size )~~NULL), NULL);~~ if (chan == (Tcl_Channel) NULL) { return TCL_ERROR; } / Make sure to operate on the topmost channel / chan = Tcl_GetTopChannel(chan); for (idx = 2; idx < objc; idx++) { ~~char opt = Tcl_GetStringFromObj(objv[idx], ~~(Tcl_Size *)~~NULL);~~ if (opt[0] != '-') break; OPTOBJ("-alpn", alpn); OPTSTR("-cadir", CAdir); OPTSTR("-cafile", CAfile);	\| \|	1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467	if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?"); return TCL_ERROR; } ERR_clear_error(); chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], NULL), NULL); if (chan == (Tcl_Channel) NULL) { return TCL_ERROR; } /* Make sure to operate on the topmost channel / chan = Tcl_GetTopChannel(chan); for (idx = 2; idx < objc; idx++) { char opt = Tcl_GetStringFromObj(objv[idx], NULL); if (opt[0] != '-') break; OPTOBJ("-alpn", alpn); OPTSTR("-cadir", CAdir); OPTSTR("-cafile", CAfile);
︙			︙
1422 1423 1424 1425 1426 1427 1428 ~~1429 1430~~ 1431 1432 1433 1434 1435 1436 1437	"\": not a TLS channel", NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "CHANNEL", "INVALID", (char ) NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } ctx = ((State )Tcl_GetChannelInstanceData(chan))->ctx; } else { ~~if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, cert, ~~(int)~~ key_len, ~~(int)~~ cert_len, CAdir, CAfile, ciphers, ciphersuites, level, DHparams)) == NULL) {~~ Tls_Free((char ) statePtr); return TCL_ERROR; } } statePtr->ctx = ctx;	\| \|	1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588	"\": not a TLS channel", NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "CHANNEL", "INVALID", (char ) NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } ctx = ((State )Tcl_GetChannelInstanceData(chan))->ctx; } else { if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, cert, key_len, cert_len, CAdir, CAfile, ciphers, ciphersuites, level, DHparams)) == NULL) { Tls_Free((char ) statePtr); return TCL_ERROR; } } statePtr->ctx = ctx;
︙			︙
1513 1514 1515 1516 1517 1518 1519 ~~1520 1521~~ 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 ~~1538~~ 1539 1540 1541 1542 1543 ~~1544 1545 1546 1547~~ 1548 1549 1550 1551 1552 1553 1554	/* Enable Application-Layer Protocol Negotiation. Examples are: http/1.0, http/1.1, h2, h3, ftp, imap, pop3, xmpp-client, xmpp-server, mqtt, irc, etc. / if (alpn) { / Convert a TCL list into a protocol-list in wire-format / unsigned char protos, p; unsigned int protos_len = 0; ~~~~Tcl_Size cnt, i;~~ int j;~~ Tcl_Obj list; if (Tcl_ListObjGetElements(interp, alpn, &cnt, &list) != TCL_OK) { Tls_Free((char ) statePtr); return TCL_ERROR; } /* Determine the memory required for the protocol-list / for (i = 0; i < cnt; i++) { Tcl_GetStringFromObj(list[i], &len); if (len > 255) { Tcl_AppendResult(interp, "ALPN protocol name too long", (char ) NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char ) NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } ~~protos_len += 1 + ~~(int)~~ len;~~ } /* Build the complete protocol-list / protos = ckalloc(protos_len); / protocol-lists consist of 8-bit length-prefixed, byte strings / ~~for (j = 0, p = protos; j < cnt; j++) { char str = Tcl_GetStringFromObj(list[j], &len); p++ = ~~(unsigned char)~~ len; memcpy(p, str, ~~(size_t)~~ len);~~ p += len; } / SSL_set_alpn_protos makes a copy of the protocol-list / / Note: This functions reverses the return value convention / if (SSL_set_alpn_protos(statePtr->ssl, protos, protos_len)) { Tcl_AppendResult(interp, "failed to set ALPN protocols", (char ) NULL);	< \| \| \| \| \| \|	1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704	/* Enable Application-Layer Protocol Negotiation. Examples are: http/1.0, http/1.1, h2, h3, ftp, imap, pop3, xmpp-client, xmpp-server, mqtt, irc, etc. / if (alpn) { / Convert a TCL list into a protocol-list in wire-format / unsigned char protos, p; unsigned int protos_len = 0; int i, len, cnt; Tcl_Obj list; if (Tcl_ListObjGetElements(interp, alpn, &cnt, &list) != TCL_OK) { Tls_Free((char ) statePtr); return TCL_ERROR; } /* Determine the memory required for the protocol-list / for (i = 0; i < cnt; i++) { Tcl_GetStringFromObj(list[i], &len); if (len > 255) { Tcl_AppendResult(interp, "ALPN protocol name too long", (char ) NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char ) NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } protos_len += 1 + len; } /* Build the complete protocol-list / protos = ckalloc(protos_len); / protocol-lists consist of 8-bit length-prefixed, byte strings / for (i = 0, p = protos; i < cnt; i++) { char str = Tcl_GetStringFromObj(list[i], &len); p++ = len; memcpy(p, str, len); p += len; } / SSL_set_alpn_protos makes a copy of the protocol-list / / Note: This functions reverses the return value convention / if (SSL_set_alpn_protos(statePtr->ssl, protos, protos_len)) { Tcl_AppendResult(interp, "failed to set ALPN protocols", (char ) NULL);
︙			︙
1718 1719 1720 1721 1722 1723 1724 ~~1725~~ 1726 1727 1728 1729 1730 1731 ~~1732~~ 1733 1734 1735 1736 1737 ~~1738~~ 1739 1740 1741 1742 1743 ~~1744~~ 1745 1746 1747 1748 1749 ~~1750~~ 1751 1752 1753 1754 1755 ~~1756~~ 1757 1758 1759 1760 1761 ~~1762~~ 1763 1764 1765 1766 1767 1768 1769	int off = 0; int load_private_key; const SSL_METHOD method; dprintf("Called"); if (!proto) { ~~Tcl_AppendResult(interp, "no valid protocol selected", ~~(char )~~ NULL);~~ return NULL; } /* create SSL context / #if OPENSSL_VERSION_NUMBER >= 0x10100000L \|\| defined(NO_SSL2) \|\| defined(OPENSSL_NO_SSL2) if (ENABLED(proto, TLS_PROTO_SSL2)) { ~~Tcl_AppendResult(interp, "SSL2 protocol not supported", ~~(char )~~ NULL);~~ return NULL; } #endif #if defined(NO_SSL3) \|\| defined(OPENSSL_NO_SSL3) if (ENABLED(proto, TLS_PROTO_SSL3)) { ~~Tcl_AppendResult(interp, "SSL3 protocol not supported", ~~(char )~~ NULL);~~ return NULL; } #endif #if defined(NO_TLS1) \|\| defined(OPENSSL_NO_TLS1) if (ENABLED(proto, TLS_PROTO_TLS1)) { ~~Tcl_AppendResult(interp, "TLS 1.0 protocol not supported", ~~(char )~~ NULL);~~ return NULL; } #endif #if defined(NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1) if (ENABLED(proto, TLS_PROTO_TLS1_1)) { ~~Tcl_AppendResult(interp, "TLS 1.1 protocol not supported", ~~(char )~~ NULL);~~ return NULL; } #endif #if defined(NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2) if (ENABLED(proto, TLS_PROTO_TLS1_2)) { ~~Tcl_AppendResult(interp, "TLS 1.2 protocol not supported", ~~(char )~~ NULL);~~ return NULL; } #endif #if defined(NO_TLS1_3) \|\| defined(OPENSSL_NO_TLS1_3) if (ENABLED(proto, TLS_PROTO_TLS1_3)) { ~~Tcl_AppendResult(interp, "TLS 1.3 protocol not supported", ~~(char )~~ NULL);~~ return NULL; } #endif if (proto == 0) { / Use full range */ SSL_CTX_set_min_proto_version(ctx, 0); SSL_CTX_set_max_proto_version(ctx, 0);	\| \| \| \| \| \| \|	1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919	int off = 0; int load_private_key; const SSL_METHOD method; dprintf("Called"); if (!proto) { Tcl_AppendResult(interp, "no valid protocol selected", NULL); return NULL; } / create SSL context / #if OPENSSL_VERSION_NUMBER >= 0x10100000L \|\| defined(NO_SSL2) \|\| defined(OPENSSL_NO_SSL2) if (ENABLED(proto, TLS_PROTO_SSL2)) { Tcl_AppendResult(interp, "SSL2 protocol not supported", NULL); return NULL; } #endif #if defined(NO_SSL3) \|\| defined(OPENSSL_NO_SSL3) if (ENABLED(proto, TLS_PROTO_SSL3)) { Tcl_AppendResult(interp, "SSL3 protocol not supported", NULL); return NULL; } #endif #if defined(NO_TLS1) \|\| defined(OPENSSL_NO_TLS1) if (ENABLED(proto, TLS_PROTO_TLS1)) { Tcl_AppendResult(interp, "TLS 1.0 protocol not supported", NULL); return NULL; } #endif #if defined(NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1) if (ENABLED(proto, TLS_PROTO_TLS1_1)) { Tcl_AppendResult(interp, "TLS 1.1 protocol not supported", NULL); return NULL; } #endif #if defined(NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2) if (ENABLED(proto, TLS_PROTO_TLS1_2)) { Tcl_AppendResult(interp, "TLS 1.2 protocol not supported", NULL); return NULL; } #endif #if defined(NO_TLS1_3) \|\| defined(OPENSSL_NO_TLS1_3) if (ENABLED(proto, TLS_PROTO_TLS1_3)) { Tcl_AppendResult(interp, "TLS 1.3 protocol not supported", NULL); return NULL; } #endif if (proto == 0) { / Use full range */ SSL_CTX_set_min_proto_version(ctx, 0); SSL_CTX_set_max_proto_version(ctx, 0);
︙			︙
2060 2061 2062 2063 2064 2065 2066 ~~2067~~ 2068 2069 2070 2071 2072 2073 2074	if (objc < 2 \|\| objc > 3 \|\| (objc == 3 && !strcmp(Tcl_GetString(objv[1]), "-local"))) { Tcl_WrongNumArgs(interp, 1, objv, "?-local? channel"); return TCL_ERROR; } /* Get channel Id / ~~channelName = Tcl_GetStringFromObj(objv[(objc == 2 ? 1 : 2)], ~~(Tcl_Size )~~ NULL);~~ chan = Tcl_GetChannel(interp, channelName, &mode); if (chan == (Tcl_Channel) NULL) { return TCL_ERROR; } /* Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan);	\|	2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224	if (objc < 2 \|\| objc > 3 \|\| (objc == 3 && !strcmp(Tcl_GetString(objv[1]), "-local"))) { Tcl_WrongNumArgs(interp, 1, objv, "?-local? channel"); return TCL_ERROR; } /* Get channel Id / channelName = Tcl_GetStringFromObj(objv[(objc == 2 ? 1 : 2)], NULL); chan = Tcl_GetChannel(interp, channelName, &mode); if (chan == (Tcl_Channel) NULL) { return TCL_ERROR; } / Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan);
︙			︙
2130 2131 2132 2133 2134 2135 2136 ~~2137~~ 2138 2139 2140 2141 2142 2143 2144	} /* Verify mode depth / LAPPEND_INT(interp, objPtr, "verifyDepth", SSL_get_verify_depth(statePtr->ssl)); / Report the selected protocol as a result of the negotiation / SSL_get0_alpn_selected(statePtr->ssl, &proto, &len); ~~LAPPEND_STR(interp, objPtr, "alpn", (char )proto, (~~Tcl_Size~~) len);~~ LAPPEND_STR(interp, objPtr, "protocol", SSL_get_version(statePtr->ssl), -1); /* Valid for non-RSA signature and TLS 1.3 */ if (objc == 2) { res = SSL_get_peer_signature_nid(statePtr->ssl, &nid); } else { res = SSL_get_signature_nid(statePtr->ssl, &nid);	\|	2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293 2294	} /* Verify mode depth / LAPPEND_INT(interp, objPtr, "verifyDepth", SSL_get_verify_depth(statePtr->ssl)); / Report the selected protocol as a result of the negotiation / SSL_get0_alpn_selected(statePtr->ssl, &proto, &len); LAPPEND_STR(interp, objPtr, "alpn", (char )proto, (int) len); LAPPEND_STR(interp, objPtr, "protocol", SSL_get_version(statePtr->ssl), -1); /* Valid for non-RSA signature and TLS 1.3 */ if (objc == 2) { res = SSL_get_peer_signature_nid(statePtr->ssl, &nid); } else { res = SSL_get_signature_nid(statePtr->ssl, &nid);
︙			︙
2180 2181 2182 2183 2184 2185 2186 ~~2187~~ 2188 2189 2190 2191 2192 2193 2194	const EVP_MD md; if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); return(TCL_ERROR); } ~~chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], ~~(Tcl_Size )~~NULL), NULL);~~ if (chan == (Tcl_Channel) NULL) { return(TCL_ERROR); } /* Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {	\|	2330 2331 2332 2333 2334 2335 2336 2337 2338 2339 2340 2341 2342 2343 2344	const EVP_MD md; if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); return(TCL_ERROR); } chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], NULL), NULL); if (chan == (Tcl_Channel) NULL) { return(TCL_ERROR); } / Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
︙			︙
2287 2288 2289 2290 2291 2292 2293 ~~2294~~ 2295 2296 2297 2298 ~~2299~~ 2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310 2311 2312 ~~2313~~ 2314 2315 2316 ~~2317~~ 2318 2319 2320 ~~2321~~ 2322 2323 2324 2325 2326 2327 ~~2328~~ 2329 2330 2331 ~~2332~~ 2333 2334 2335 2336 2337 2338 2339	size_t len2; unsigned int ulen; const unsigned char session_id, proto; char buffer[SSL_MAX_MASTER_KEY_LENGTH]; /* Report the selected protocol as a result of the ALPN negotiation / SSL_SESSION_get0_alpn_selected(session, &proto, &len2); ~~LAPPEND_STR(interp, objPtr, "alpn", (char ) proto, (~~Tcl_Size~~) len2);~~ /* Report the selected protocol as a result of the NPN negotiation / #ifdef USE_NPN SSL_get0_next_proto_negotiated(ssl, &proto, &ulen); ~~LAPPEND_STR(interp, objPtr, "npn", (char ) proto, (~~Tcl_Size~~) ulen);~~ #endif /* Resumable session / LAPPEND_BOOL(interp, objPtr, "resumable", SSL_SESSION_is_resumable(session)); / Session start time (seconds since epoch) / LAPPEND_LONG(interp, objPtr, "start_time", SSL_SESSION_get_time(session)); / Timeout value - SSL_CTX_get_timeout (in seconds) / LAPPEND_LONG(interp, objPtr, "timeout", SSL_SESSION_get_timeout(session)); / Session id - TLSv1.2 and below only / session_id = SSL_SESSION_get_id(session, &ulen); ~~LAPPEND_BARRAY(interp, objPtr, "session_id", session_id, (~~Tcl_Size~~) ulen);~~ / Session context / session_id = SSL_SESSION_get0_id_context(session, &ulen); ~~LAPPEND_BARRAY(interp, objPtr, "session_context", session_id, (~~Tcl_Size~~) ulen);~~ / Session ticket - client only / SSL_SESSION_get0_ticket(session, &ticket, &len2); ~~LAPPEND_BARRAY(interp, objPtr, "session_ticket", ticket, (~~Tcl_Size~~) len2);~~ / Session ticket lifetime hint (in seconds) / LAPPEND_LONG(interp, objPtr, "lifetime", SSL_SESSION_get_ticket_lifetime_hint(session)); / Ticket app data / SSL_SESSION_get0_ticket_appdata(session, &ticket, &len2); ~~LAPPEND_BARRAY(interp, objPtr, "ticket_app_data", ticket, (~~Tcl_Size~~) len2);~~ / Get master key / len2 = SSL_SESSION_get_master_key(session, buffer, SSL_MAX_MASTER_KEY_LENGTH); ~~LAPPEND_BARRAY(interp, objPtr, "master_key", buffer, (~~Tcl_Size~~) len2);~~ / Compression id / unsigned int id = SSL_SESSION_get_compress_id(session); LAPPEND_STR(interp, objPtr, "compression_id", id == 1 ? "zlib" : "none", -1); } / Compression info */	\| \| \| \| \| \| \|	2437 2438 2439 2440 2441 2442 2443 2444 2445 2446 2447 2448 2449 2450 2451 2452 2453 2454 2455 2456 2457 2458 2459 2460 2461 2462 2463 2464 2465 2466 2467 2468 2469 2470 2471 2472 2473 2474 2475 2476 2477 2478 2479 2480 2481 2482 2483 2484 2485 2486 2487 2488 2489	size_t len2; unsigned int ulen; const unsigned char session_id, proto; char buffer[SSL_MAX_MASTER_KEY_LENGTH]; /* Report the selected protocol as a result of the ALPN negotiation / SSL_SESSION_get0_alpn_selected(session, &proto, &len2); LAPPEND_STR(interp, objPtr, "alpn", (char ) proto, (int) len2); /* Report the selected protocol as a result of the NPN negotiation / #ifdef USE_NPN SSL_get0_next_proto_negotiated(ssl, &proto, &ulen); LAPPEND_STR(interp, objPtr, "npn", (char ) proto, (int) ulen); #endif /* Resumable session / LAPPEND_BOOL(interp, objPtr, "resumable", SSL_SESSION_is_resumable(session)); / Session start time (seconds since epoch) / LAPPEND_LONG(interp, objPtr, "start_time", SSL_SESSION_get_time(session)); / Timeout value - SSL_CTX_get_timeout (in seconds) / LAPPEND_LONG(interp, objPtr, "timeout", SSL_SESSION_get_timeout(session)); / Session id - TLSv1.2 and below only / session_id = SSL_SESSION_get_id(session, &ulen); LAPPEND_BARRAY(interp, objPtr, "session_id", session_id, (int) ulen); / Session context / session_id = SSL_SESSION_get0_id_context(session, &ulen); LAPPEND_BARRAY(interp, objPtr, "session_context", session_id, (int) ulen); / Session ticket - client only / SSL_SESSION_get0_ticket(session, &ticket, &len2); LAPPEND_BARRAY(interp, objPtr, "session_ticket", ticket, (int) len2); / Session ticket lifetime hint (in seconds) / LAPPEND_LONG(interp, objPtr, "lifetime", SSL_SESSION_get_ticket_lifetime_hint(session)); / Ticket app data / SSL_SESSION_get0_ticket_appdata(session, &ticket, &len2); LAPPEND_BARRAY(interp, objPtr, "ticket_app_data", ticket, (int) len2); / Get master key / len2 = SSL_SESSION_get_master_key(session, buffer, SSL_MAX_MASTER_KEY_LENGTH); LAPPEND_BARRAY(interp, objPtr, "master_key", buffer, (int) len2); / Compression id / unsigned int id = SSL_SESSION_get_compress_id(session); LAPPEND_STR(interp, objPtr, "compression_id", id == 1 ? "zlib" : "none", -1); } / Compression info */
︙			︙
2433 2434 2435 2436 2437 2438 2439 ~~2440 2441~~ 2442 2443 2444 2445 2446 2447 2448	* ------------------------------------------------------------------- / static int MiscObjCmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) { static const char *commands [] = { "req", "strreq", NULL }; enum command { C_REQ, C_STRREQ, C_DUMMY }; ~~~~Tcl_Size cmd;~~ int isStr;~~ char buffer[16384]; dprintf("Called"); if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "subcommand ?args?"); return TCL_ERROR;	< \|	2583 2584 2585 2586 2587 2588 2589 2590 2591 2592 2593 2594 2595 2596 2597	* ------------------------------------------------------------------- / static int MiscObjCmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) { static const char *commands [] = { "req", "strreq", NULL }; enum command { C_REQ, C_STRREQ, C_DUMMY }; int cmd, isStr; char buffer[16384]; dprintf("Called"); if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "subcommand ?args?"); return TCL_ERROR;
︙			︙
2457 2458 2459 2460 2461 2462 2463 ~~2464 2465~~ 2466 2467 2468 2469 2470 2471 2472	switch ((enum command) cmd) { case C_REQ: case C_STRREQ: { EVP_PKEY pkey=NULL; X509 cert=NULL; X509_NAME name=NULL; Tcl_Obj listv; ~~Tcl_Size~~ listc; ~~int i;~~ BIO out=NULL; char k_C="",k_ST="",k_L="",k_O="",k_OU="",k_CN="",k_Email=""; char keyout,pemout,str; int keysize,serial=0,days=365;	\| <	2606 2607 2608 2609 2610 2611 2612 2613 2614 2615 2616 2617 2618 2619 2620	switch ((enum command) cmd) { case C_REQ: case C_STRREQ: { EVP_PKEY pkey=NULL; X509 cert=NULL; X509_NAME name=NULL; Tcl_Obj listv; int listc,i; BIO out=NULL; char k_C="",k_ST="",k_L="",k_O="",k_OU="",k_CN="",k_Email=""; char keyout,pemout,str; int keysize,serial=0,days=365;
︙			︙
2489 2490 2491 2492 2493 2494 2495 ~~2496~~ 2497 2498 2499 2500 2501 2502 2503	pemout=Tcl_GetString(objv[4]); if (isStr) { Tcl_SetVar(interp,keyout,"",0); Tcl_SetVar(interp,pemout,"",0); } if (objc>=6) { ~~if (Tcl_ListObjGetElements(interp, objv[5], ~~&listc, &listv) != TCL_OK) {~~~~ return TCL_ERROR; } if ((listc%2) != 0) { Tcl_SetResult(interp,"Information list must have even number of arguments",NULL); return TCL_ERROR; }	\| >	2637 2638 2639 2640 2641 2642 2643 2644 2645 2646 2647 2648 2649 2650 2651 2652	pemout=Tcl_GetString(objv[4]); if (isStr) { Tcl_SetVar(interp,keyout,"",0); Tcl_SetVar(interp,pemout,"",0); } if (objc>=6) { if (Tcl_ListObjGetElements(interp, objv[5], &listc, &listv) != TCL_OK) { return TCL_ERROR; } if ((listc%2) != 0) { Tcl_SetResult(interp,"Information list must have even number of arguments",NULL); return TCL_ERROR; }
︙			︙
2769 2770 2771 2772 2773 2774 2775 ~~2776~~ 2777 2778 2779 2780 2781 2782 2783 2784 2785 2786 2787 2788 2789 2790 2791 2792 2793 2794 2795 2796	#endif if (Tcl_PkgRequire(interp, "Tcl", "8.5-", 0) == NULL) { return TCL_ERROR; } #endif if (TlsLibInit(0) != TCL_OK) { ~~Tcl_AppendResult(interp, "could not initialize SSL library", ~~(char )~~ NULL);~~ return TCL_ERROR; } Tcl_CreateObjCommand(interp, "tls::ciphers", CiphersObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::connection", ConnectionInfoObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::handshake", HandshakeObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::import", ImportObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::unimport", UnimportObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::status", StatusObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::version", VersionObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::misc", MiscObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::protocols", ProtocolsObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); if (interp) { Tcl_Eval(interp, tlsTclInitScript); } return Tcl_PkgProvide(interp, PACKAGE_NAME, PACKAGE_VERSION); }	\| > > > > > > >	2918 2919 2920 2921 2922 2923 2924 2925 2926 2927 2928 2929 2930 2931 2932 2933 2934 2935 2936 2937 2938 2939 2940 2941 2942 2943 2944 2945 2946 2947 2948 2949 2950 2951 2952	#endif if (Tcl_PkgRequire(interp, "Tcl", "8.5-", 0) == NULL) { return TCL_ERROR; } #endif if (TlsLibInit(0) != TCL_OK) { Tcl_AppendResult(interp, "could not initialize SSL library", NULL); return TCL_ERROR; } Tcl_CreateObjCommand(interp, "tls::ciphers", CiphersObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::connection", ConnectionInfoObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::handshake", HandshakeObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::import", ImportObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::unimport", UnimportObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::status", StatusObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::version", VersionObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::misc", MiscObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::protocols", ProtocolsObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::hash", HashCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::hashes", HashListCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::md4", HashMD4Cmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::md5", HashMD5Cmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::sha1", HashSHA1Cmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::sha256", HashSHA256Cmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL); if (interp) { Tcl_Eval(interp, tlsTclInitScript); } return Tcl_PkgProvide(interp, PACKAGE_NAME, PACKAGE_VERSION); }
︙			︙