tls.tcl at [cc9314fa6e]

File library/tls.tcl artifact 48423522ec part of check-in cc9314fa6e


#
# Support functions for the TLS extension
#
# Copyright (C) 1997-2000 Matt Newman <[email protected]>
#
namespace eval tls {
    variable logcmd tclLog
    variable debug 0

    # Default flags passed to tls::import
    variable defaults {}

    # Maps UID to Server Socket
    variable srvmap
    variable srvuid 0

    # Over-ride this if you are using a different socket command
    variable socketCmd
    if {![info exists socketCmd]} {
	set socketCmd [info command ::socket]
    }

    # This is the possible arguments to tls::socket and tls::init
    # The format of this is a list of lists
    ## Each inner list contains the following elements
    ### Server (matched against "string match" for 0/1)
    ### Option name
    ### Variable to add the option to:
    #### sopts: [socket] option
    #### iopts: [tls::import] option
    ### How many arguments the following the option to consume
    variable socketOptionRules {
	{0 -async sopts 0}
	{* -myaddr sopts 1}
	{0 -myport sopts 1}
	{* -type sopts 1}
	{* -alpn iopts 1}
	{* -cadir iopts 1}
	{* -cafile iopts 1}
	{* -castore iopts 1}
	{* -cert iopts 1}
	{* -certfile iopts 1}
	{* -cipher iopts 1}
	{* -ciphersuites iopts 1}
	{* -command iopts 1}
	{* -dhparams iopts 1}
	{* -key iopts 1}
	{* -keyfile iopts 1}
	{* -password iopts 1}
	{* -post_handshake iopts 1}
	{* -request iopts 1}
	{* -require iopts 1}
	{* -securitylevel iopts 1}
	{* -autoservername discardOpts 1}
	{* -server iopts 1}
	{* -servername iopts 1}
	{* -session_id iopts 1}
	{* -ssl2 iopts 1}
	{* -ssl3 iopts 1}
	{* -tls1 iopts 1}
	{* -tls1.1 iopts 1}
	{* -tls1.2 iopts 1}
	{* -tls1.3 iopts 1}
	{* -validatecommand iopts 1}
	{* -vcmd iopts 1}
    }

    # tls::socket and tls::init options as a humane readable string
    variable socketOptionsNoServer
    variable socketOptionsServer

    # Internal [switch] body to validate options
    variable socketOptionsSwitchBody
}

proc tls::_initsocketoptions {} {
    variable socketOptionRules
    variable socketOptionsNoServer
    variable socketOptionsServer
    variable socketOptionsSwitchBody

    # Do not re-run if we have already been initialized
    if {[info exists socketOptionsSwitchBody]} {
	return
    }

    # Create several structures from our list of options
    ## 1. options: a text representation of the valid options for the current
    ##             server type
    ## 2. argSwitchBody: Switch body for processing arguments
    set options(0) [list]
    set options(1) [list]
    set argSwitchBody [list]
    foreach optionRule $socketOptionRules {
	set ruleServer [lindex $optionRule 0]
	set ruleOption [lindex $optionRule 1]
	set ruleVarToUpdate [lindex $optionRule 2]
	set ruleVarArgsToConsume [lindex $optionRule 3]

	foreach server [list 0 1] {
	    if {![string match $ruleServer $server]} {
		continue
	    }

	    lappend options($server) $ruleOption
	}

	switch -- $ruleVarArgsToConsume {
	    0 {
		set argToExecute {
		    lappend @VAR@ $arg
		    set argsArray($arg) true
		}
	    }
	    1 {
		set argToExecute {
		    incr idx
		    if {$idx >= [llength $args]} {
			return -code error "\"$arg\" option must be followed by value"
		    }
		    set argValue [lindex $args $idx]
		    lappend @VAR@ $arg $argValue
		    set argsArray($arg) $argValue
		}
	    }
	    default {
		return -code error "Internal argument construction error"
	    }
	}

	lappend argSwitchBody $ruleServer,$ruleOption [string map [list @VAR@ $ruleVarToUpdate] $argToExecute]
    }

    # Add in the final options
    lappend argSwitchBody {*,-*} {return -code error "bad option \"$arg\": must be one of $options"}
    lappend argSwitchBody default break

    # Set the final variables
    set socketOptionsNoServer   [join $options(0) {, }]
    set socketOptionsServer     [join $options(1) {, }]
    set socketOptionsSwitchBody $argSwitchBody
}

proc tls::initlib {dir dll} {
    # Package index cd's into the package directory for loading.
    # Irrelevant to unixoids, but for Windows this enables the OS to find
    # the dependent DLL's in the CWD, where they may be.
    set cwd [pwd]
    catch {cd $dir}
    if {[string equal $::tcl_platform(platform) "windows"] &&
	![string equal [lindex [file system $dir] 0] "native"]} {
	# If it is a wrapped executable running on windows, the openssl
	# dlls must be copied out of the virtual filesystem to the disk
	# where Windows will find them when resolving the dependency in
	# the tls dll. We choose to make them siblings of the executable.
	package require starkit
	set dst [file nativename [file dirname $starkit::topdir]]
	foreach sdll [glob -nocomplain -directory $dir -tails libssl32.dll libcrypto*.dll libssl*.dll libssp*.dll] {
	    catch {file delete -force            $dst/$sdll}
	    catch {file copy   -force $dir/$sdll $dst/$sdll}
	}
    }
    set res [catch {uplevel #0 [list load [file join [pwd] $dll]]} err]
    catch {cd $cwd}
    if {$res} {
	namespace eval [namespace parent] {namespace delete tls}
	return -code $res $err
    }
    rename tls::initlib {}
}


#
# Backwards compatibility, also used to set the default
# context options
#
proc tls::init {args} {
    variable defaults
    variable socketOptionsNoServer
    variable socketOptionsServer
    variable socketOptionsSwitchBody

    tls::_initsocketoptions

    # Technically a third option should be used here: Options that are valid
    # only a both servers and non-servers
    set server -1
    set options $socketOptionsServer

    # Validate arguments passed
    set initialArgs $args
    set argc [llength $args]

    array set argsArray [list]
    for {set idx 0} {$idx < $argc} {incr idx} {
	set arg [lindex $args $idx]
	switch -glob -- $server,$arg $socketOptionsSwitchBody
    }

    set defaults $initialArgs
}
#
# Helper function - behaves exactly as the native socket command.
#
proc tls::socket {args} {
    variable socketCmd
    variable defaults
    variable socketOptionsNoServer
    variable socketOptionsServer
    variable socketOptionsSwitchBody

    tls::_initsocketoptions

    set idx [lsearch $args -server]
    if {$idx != -1} {
	set server 1
	set callback [lindex $args [expr {$idx+1}]]
	set args [lreplace $args $idx [expr {$idx+1}]]

	set usage "wrong # args: should be \"tls::socket -server command ?options? port\""
	set options $socketOptionsServer
    } else {
	set server 0

	set usage "wrong # args: should be \"tls::socket ?options? host port\""
	set options $socketOptionsNoServer
    }

    # Combine defaults with current options
    set args [concat $defaults $args]

    set argc [llength $args]
    set sopts {}
    set iopts [list -server $server]

    array set argsArray [list]
    for {set idx 0} {$idx < $argc} {incr idx} {
	set arg [lindex $args $idx]
	switch -glob -- $server,$arg $socketOptionsSwitchBody
    }

    if {$server} {
	if {($idx + 1) != $argc} {
	    return -code error $usage
	}
	set uid [incr ::tls::srvuid]

	set port [lindex $args [expr {$argc-1}]]
	lappend sopts $port
	#set sopts [linsert $sopts 0 -server $callback]
	set sopts [linsert $sopts 0 -server [list tls::_accept $iopts $callback]]
	#set sopts [linsert $sopts 0 -server [list tls::_accept $uid $callback]]
    } else {
	if {($idx + 2) != $argc} {
	    return -code error $usage
	}

	set host [lindex $args [expr {$argc-2}]]
	set port [lindex $args [expr {$argc-1}]]

	# If an "-autoservername" option is found, honor it
	if {[info exists argsArray(-autoservername)] && $argsArray(-autoservername)} {
	    if {![info exists argsArray(-servername)]} {
		set argsArray(-servername) $host
		lappend iopts -servername $host
	    }
	}

	lappend sopts $host $port
    }
    #
    # Create TCP/IP socket
    #
    set chan [eval $socketCmd $sopts]
    if {!$server && [catch {
	#
	# Push SSL layer onto socket
	#
	eval [list tls::import] $chan $iopts
    } err]} {
	set info ${::errorInfo}
	catch {close $chan}
	return -code error -errorinfo $info $err
    }
    return $chan
}

# tls::_accept --
#
#   This is the actual accept that TLS sockets use, which then calls
#   the callback registered by tls::socket.
#
# Arguments:
#   iopts	tls::import opts
#   callback	server callback to invoke
#   chan	socket channel to accept/deny
#   ipaddr	calling IP address
#   port	calling port
#
# Results:
#   Returns an error if the callback throws one.
#
proc tls::_accept { iopts callback chan ipaddr port } {
    log 2 [list tls::_accept $iopts $callback $chan $ipaddr $port]

    set chan [eval [list tls::import $chan] $iopts]

    lappend callback $chan $ipaddr $port
    if {[catch {
	uplevel #0 $callback
    } err]} {
	log 1 "tls::_accept error: ${::errorInfo}"
	close $chan
	error $err $::errorInfo $::errorCode
    } else {
	log 2 "tls::_accept - called \"$callback\" succeeded"
    }
}

#
# Sample callback for status data from OpenSSL
#
proc tls::callback {option chan args} {
    variable debug

    switch -- $option {
	"error" {
	    lassign $args msg

	    log 0 "TLS/$chan: error: $msg"
	}
	"info" {
	    set type ""
	    lassign $args major minor msg type

	    if {$msg ne ""} {
		append state ": $msg"
	    }
	    # For tracing
	    upvar #0 tls::$chan cb
	    set cb($major) $minor

	    log 2 "TLS/$chan: $major/$minor: $state"
	}
	"message" {
	    lassign $args direction version content_type msg

	    log 0 "TLS/$chan: info: $direction $msg"
	}
	"session" {
	    lassign $args session_id ticket lifetime

	    log 0 "TLS/$chan: session: lifetime $lifetime"
	}
	"verify" {
	    # Backwards compatible for v1.7
	    return [tls::validate_command $option $chan {*}$args]
	}
	default	{
	    return -code error "bad option \"$option\":\
		    must be one of error, info, message, or session"
	}
    }
}

#
# Sample callback when return value is needed. New for TLS 1.8+.
#
proc tls::validate_command {option chan args} {
    variable debug

    switch -- $option {
	"alpn" {
	    lassign $args protocol match

	    log 0 "TLS/$chan: alpn: $protocol $match"
	}
	"hello" {
	   lassign $args servername

	    log 0 "TLS/$chan: hello: $servername"
	}
	"sni" {
	    lassign $args servername

	    log 0 "TLS/$chan: sni: $servername"
	}
	"verify" {
	    lassign $args depth cert rc err

	    array set c $cert

	    if {$rc ne "1"} {
		log 1 "TLS/$chan: verify/$depth: Bad Cert: $err (rc = $rc)"
	    } else {
		log 2 "TLS/$chan: verify/$depth: $c(subject)"
	    }
	    if {$debug > 0} {
		return 1;	# FORCE OK
	    } else {
		return $rc
	    }
	}
	default	{
	    return -code error "bad option \"$option\":\
		    must be one of alpn, hello, sni, or verify"
	}
    }
    return 1
}

proc tls::xhandshake {chan} {
    upvar #0 tls::$chan cb

    if {[info exists cb(handshake)] && \
	$cb(handshake) eq "done"} {
	return 1
    }
    while {1} {
	vwait tls::${chan}(handshake)
	if {![info exists cb(handshake)]} {
	    return 0
	}
	if {$cb(handshake) == "done"} {
	    return 1
	}
    }
}

#
# Sample callback to get password when needed. Args are new for TLS 1.8+.
#
proc tls::password {{option password} {rwflag 0} {size 0}} {
    log 0 "TLS/Password: did you forget to set your passwd!"
    # Return the worlds best kept secret password.
    return "secret"
}

proc tls::log {level msg} {
    variable debug
    variable logcmd

    if {$level > $debug || $logcmd eq ""} {
	return
    }
    set cmd $logcmd
    lappend cmd $msg
    uplevel #0 $cmd
}