Overview
Comment: | Merged changes from master. |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | crypto |
Files: | files | file ages | folders |
SHA3-256: |
45be9618dc901c4f5991704e3148a315 |
User & Date: | bohagan on 2024-02-11 20:51:27 |
Other Links: | branch diff | manifest | tags |
Context
2024-02-11
| ||
21:24 | Updated test cases for OpenSSL 3.0. Added load legacy provider for obsolete algorithms. check-in: 8440f589be user: bohagan tags: crypto | |
20:51 | Merged changes from master. check-in: 45be9618dc user: bohagan tags: crypto | |
02:16 | Corrected memory leaks in use of dynamic strings check-in: 6287936460 user: bohagan tags: trunk | |
2024-02-06
| ||
02:42 | Added provider test cases check-in: 5a41ff9aa1 user: bohagan tags: crypto | |
Changes
Modified doc/tls.html
from [12b4e9e9d7]
to [9f9597a4e4].
︙ | ︙ | |||
17 18 19 20 21 22 23 | <dl> <dd><b>tls</b> - binding to <b>OpenSSL</b> library for socket and I/O channel communications.</dd> </dl> </dd> <dd><a href="#SYNOPSIS">SYNOPSIS</a> </dd> <dd><dl> | | | 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | <dl> <dd><b>tls</b> - binding to <b>OpenSSL</b> library for socket and I/O channel communications.</dd> </dl> </dd> <dd><a href="#SYNOPSIS">SYNOPSIS</a> </dd> <dd><dl> <dd><b>package require Tcl</b> <em>?<b>8.5</b>?</em></dd> <dd><b>package require tls</b></dd> <dt> </dt> <dd><b>tls::init</b> <em>?options?</em> </dd> <dd><b>tls::socket</b> <em>?options? host port</em></dd> <dd><b>tls::socket</b> <em>?-server command? ?options? port</em></dd> <dd><b>tls::handshake</b> <em> channel</em></dd> <dd><b>tls::status</b> <em>?-local? channel</em></dd> |
︙ | ︙ | |||
49 50 51 52 53 54 55 | <h3><a name="NAME">NAME</a></h3> <p><strong>tls</strong> - binding to <strong>OpenSSL</strong> library for socket and I/O channel communications.</p> <h3><a name="SYNOPSIS">SYNOPSIS</a></h3> | | | > | | | | | | 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 | <h3><a name="NAME">NAME</a></h3> <p><strong>tls</strong> - binding to <strong>OpenSSL</strong> library for socket and I/O channel communications.</p> <h3><a name="SYNOPSIS">SYNOPSIS</a></h3> <p><b>package require Tcl</b> <em>?<b>8.5</b>?</em><br> <b>package require tls</b><br> <br> <a href="#tls::init"><b>tls::init</b> <i>?options?</i></a><br> <a href="#tls::socket"><b>tls::socket</b> <i>?options? host port</i><br> <a href="#tls::socket"><b>tls::socket</b> <i>?-server command? ?options? port</i></a><br> <a href="#tls::status"><b>tls::status</b> <i>?-local? channel</i></a><br> <a href="#tls::connection"><b>tls::connection</b> <i>channel</i></a><br> <a href="#tls::handshake"><b>tls::handshake</b> <i>channel</i></a><br> <a href="#tls::import"><b>tls::import</b> <i>channel ?options?</i></a><br> <a href="#tls::unimport"><b>tls::unimport</b> <i>channel</i></a><br> <br> <a href="#tls::protocols"><b>tls::protocols</b></a><br> <a href="#tls::version"><b>tls::version</b></a><br> </p> <h3><a name="DESCRIPTION">DESCRIPTION</a></h3> <p>This extension provides TCL script access to secure socket communications using the Transport Layer Security (TLS) protocol. It provides a generic binding to <a href="http://www.openssl.org/">OpenSSL</a>, utilizing the <strong>Tcl_StackChannel</strong> API in Tcl 8.4 and higher. These sockets behave exactly the same as channels created using the built-in <strong>socket</strong> command, along with additional options for controlling the SSL session. </p> <h3><a name="COMMANDS">COMMANDS</a></h3> <p>Typically one would use the <strong>tls::socket </strong>command which provides compatibility with the native Tcl <strong>socket</strong> command. In such cases <strong>tls::import</strong> should not be |
︙ | ︙ | |||
457 458 459 460 461 462 463 | <br> <br> <dl> <dt> | | > | > | | | | > | > | | | | | > | | > > | | | > | 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 | <br> <br> <dl> <dt> <strong>error</strong> <em>channelId message</em> </dt> <dd> This form of callback is invoked whenever an error occurs during the initial connection, handshake, or I/O operations. The <em>message</em> argument can be from the Tcl_ErrnoMsg, OpenSSL function <code>ERR_reason_error_string()</code>, or a custom message. </dd> <br> <dt> <strong>info</strong> <em>channelId major minor message type</em> </dt> <dd> This form of callback is invoked by the OpenSSL function <code>SSL_set_info_callback()</code> during the initial connection and handshake operations. The <em>type</em> argument is new for TLS 1.8. The arguments are: <br> <ul> <li>Possible values for <em>major</em> are: <code>handshake, alert, connect, accept</code>.</li> <li>Possible values for <em>minor</em> are: <code>start, done, read, write, loop, exit</code>.</li> <li>The <em>message</em> argument is a descriptive string which may be generated either by <code>SSL_state_string_long()</code> or by <code>SSL_alert_desc_string_long()</code>, depending on the context.</li> <li>For alerts, the possible values for <em>type</em> are: <code>warning, fatal, and unknown</code>. For others, <code>info</code> is used.</li> </ul> </dd> <dt> <strong>message</strong> <em>channelId direction version content_type message</em> </dt> <dd> This form of callback is invoked by the OpenSSL function <code>SSL_set_msg_callback()</code> whenever a message is sent or received during the initial connection, handshake, or I/O operations. It is only available when OpenSSL is complied with the <em>enable-ssl-trace</em> option. Arguments are: <em>direction</em> is <b>Sent</b> or <b>Received</b>, <em>version</em> is the protocol version, <em>content_type</em> is the message content type, and <em>message</em> is more info from the <code>SSL_trace</code> API. This callback is new for TLS 1.8. </dd> <br> <dt> <strong>session</strong> <em>channelId session_id ticket lifetime</em> </dt> <dd> This form of callback is invoked by the OpenSSL function <code>SSL_CTX_sess_set_new_cb()</code> whenever a new session id is sent by the server during the initial connection and handshake, but can also be received later if the <b>-post_handshake</b> option is used. Arguments are: <em>session_id</em> is the current session identifier, <em>ticket</em> is the session ticket info, and <em>lifetime</em> is the the ticket lifetime in seconds. This callback is new for TLS 1.8. </dd> <br> </dl> </dd> <br> |
︙ | ︙ | |||
538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 | </dt> <dd> Invoked when loading or storing a PEM certificate with encryption. Where <em>rwflag</em> is 0 for reading/decryption or 1 for writing/encryption (can prompt user to confirm) and <em>size</em> is the max password length in bytes. The callback should return the password as a string. </dd> </dd> <br> <dt><strong>-validatecommand</strong> <em>callback</em></dt> <dd> Invokes the specified <em>callback</em> script during handshake in order to validate the provided value(s). See below for the possible | > | > | | | | | > | > | | | > > > > > > > > > > > > > > > > < < < < < < < < < < < < < | | | < | | | < < | | 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 | </dt> <dd> Invoked when loading or storing a PEM certificate with encryption. Where <em>rwflag</em> is 0 for reading/decryption or 1 for writing/encryption (can prompt user to confirm) and <em>size</em> is the max password length in bytes. The callback should return the password as a string. Both arguments are new for TLS 1.8. </dd> </dd> <br> <dt><strong>-validatecommand</strong> <em>callback</em></dt> <dd> Invokes the specified <em>callback</em> script during handshake in order to validate the provided value(s). See below for the possible arguments passed to the callback script. If not specified, OpenSSL will accept valid certificates and extensions. To reject the value and abort the connection, the callback should return 0. To accept the value and continue the connection, it should return 1. To reject the value, but continue the connection, it should return 2. <br> <br> <dl> <dt> <strong>alpn</strong> <em>channelId protocol match</em> </dt> <dd> For servers, this form of callback is invoked when the client ALPN extension is received. If <em>match</em> is true, <em>protocol</em> is the first <b>-alpn</b> option specified protocol common to both the client and server. If not, the first client specified protocol is used. It is called after the hello and ALPN callbacks. This callback is new for TLS 1.8. </dd> <br> <dt> <strong>hello</strong> <em>channelId servername</em> </dt> <dd> For servers, this form of callback is invoked during client hello message processing. The purpose is so the server can select the appropriate certificate to present to the client, and to make other configuration adjustments relevant to that server name and its configuration. It is called before the SNI and ALPN callbacks. This callback is new for TLS 1.8. </dd> <br> <dt> <strong>sni</strong> <em>channelId servername</em> </dt> <dd> For servers, this form of callback is invoked when the Server Name Indication (SNI) extension is received. The <em>servername</em> argument is the client provided server name in the <b>-servername</b> option. The purpose is so when a server supports multiple names, the right certificate can be used. It is called after the hello callback but before the ALPN callback. This callback is new for TLS 1.8. </dd> <br> <dt> <strong>verify</strong> <em>channelId depth cert status error</em> </dt> <dd> This form of callback is invoked by OpenSSL when a new certificate is received from the peer. It allows the client to check the certificate verification results and choose whether to continue or not. It is called for each certificate in the certificate chain. <ul> <li>The <em>depth</em> argument is the integer depth of the certificate in the certificate chain, where 0 is the peer certificate and higher values going up to the Certificate Authority (CA).</li> <li>The <em>cert</em> argument is a list of key-value pairs similar to those returned by <a href="#tls::status"><strong>tls::status</strong></a>.</li> <li>The <em>status</em> argument is the boolean validity of the current certificate where 0 is invalid and 1 is valid.</li> <li>The <em>error</em> argument is the error message, if any, generated by <code>X509_STORE_CTX_get_error()</code>.</li> </ul> </dd> <br> </dl> </dd> </dl> |
︙ | ︙ | |||
666 667 668 669 670 671 672 | decrypt the data. <p> The <strong>tls::debug</strong> variable provides some additional control over these reference callbacks. Its value is zero by default. Higher values produce more diagnostic output, and will also force the verify method in <strong>tls::callback</strong> to accept the | | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | > | > > > > > > > > > > > > > > > > > > > > > > > > > > > > | > > > | | > | 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 | decrypt the data. <p> The <strong>tls::debug</strong> variable provides some additional control over these reference callbacks. Its value is zero by default. Higher values produce more diagnostic output, and will also force the verify method in <strong>tls::callback</strong> to accept the certificate, even when it is invalid if the <b>tls::validate_command</b> callback is used for the <b>-validatecommand</b> option. </p> <p> <em> The use of the variable <strong>tls::debug</strong> is not recommended. It may be removed from future releases. </em> </p> <h4><a name="DEBUG_EXAMPLES">Debug Examples</a></h4> <p>These examples use the default Unix platform SSL certificates. For standard installations, -cadir and -cafile should not be needed. If your certificates are in non-standard locations, update -cadir or use -cafile as needed.</p> <br> Example #1: Use HTTP package <pre><code> package require http package require tls set url "https://www.tcl.tk/" http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs \ -command ::tls::callback -password ::tls::password -validatecommand ::tls::validate_command] # Check for error set token [http::geturl $url] if {[http::status $token] ne "ok"} { puts [format "Error %s" [http::status $token]] } # Get web page set data [http::data $token] puts [string length $data] # Cleanup ::http::cleanup $token </code></pre> Example #2: Use raw socket <pre><code> package require tls set url "www.tcl-lang.org" set port 443 set ch [tls::socket -autoservername 1 -servername $url -request 1 -require 1 \ -alpn {http/1.1} -cadir /etc/ssl/certs -command ::tls::callback \ -password ::tls::password -validatecommand ::tls::validate_command $url $port] chan configure $ch -buffersize 65536 tls::handshake $ch puts $ch "GET / HTTP/1.1" flush $ch after 500 set data [read $ch] array set status [tls::status $ch] array set conn [tls::connection $ch] array set chan [chan configure $ch] close $ch parray status parray conn parray chan </code></pre> <h3><a name="HTTPS EXAMPLE">HTTPS EXAMPLE</a></h3> <p>These examples use the default Unix platform SSL certificates. For standard installations, -cadir and -cafile should not be needed. If your certificates are in non-standard locations, update -cadir or use -cafile as needed.</p> Example #1: Get web page <pre><code> package require http package require tls set url "https://www.tcl.tk/" http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs] # Check for error set token [http::geturl $url] if {[http::status $token] ne "ok"} { puts [format "Error %s" [http::status $token]] } # Get web page set data [http::data $token] puts $data # Cleanup ::http::cleanup $token </code></pre> Example #2: Download file <pre><code> package require http package require tls set url "https://wiki.tcl-lang.org/sitemap.xml" set filename [file tail $url] http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs] # Get file set ch [open $filename wb] set token [::http::geturl $url -blocksize 65536 -channel $ch] # Cleanup close $ch ::http::cleanup $token </code></pre> <h3><a name="SPECIAL CONSIDERATIONS">SPECIAL CONSIDERATIONS</a></h3> <p>The capabilities of this package can vary enormously based upon how the linked to OpenSSL library was configured and built. New versions may obsolete older protocol versions, add or remove ciphers, change default values, etc. Use the <strong>tls::protocols</strong> commands to obtain the supported protocol versions.</p> <h3><a name="SEE ALSO">SEE ALSO</a></h3> <p><strong>socket</strong>, <strong>fileevent</strong>, <strong>http</strong>, <a href="http://www.openssl.org/"><strong>OpenSSL</strong></a></p> <hr> <pre> Copyright © 1999 Matt Newman. Copyright © 2004 Starfish Systems. Copyright © 2023 Brian O'Hagan. </pre> </body> </html> |
Modified generic/tls.c
from [08e7f9d341]
to [e039ae1932].
︙ | ︙ | |||
48 49 50 51 52 53 54 | #define F2N(key, dsp) \ (((key) == NULL) ? (char *) NULL : \ Tcl_TranslateFileName(interp, (key), (dsp))) static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key, char *certfile, unsigned char *key_asn1, unsigned char *cert_asn1, | | | 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 | #define F2N(key, dsp) \ (((key) == NULL) ? (char *) NULL : \ Tcl_TranslateFileName(interp, (key), (dsp))) static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key, char *certfile, unsigned char *key_asn1, unsigned char *cert_asn1, int key_asn1_len, int cert_asn1_len, char *CApath, char *CAfile, char *ciphers, char *ciphersuites, int level, char *DHparams); static int TlsLibInit(int uninitialize); #define TLS_PROTO_SSL2 0x01 #define TLS_PROTO_SSL3 0x02 #define TLS_PROTO_TLS1 0x04 |
︙ | ︙ | |||
188 189 190 191 192 193 194 | if (where & SSL_CB_READ) minor = "read"; else if (where & SSL_CB_WRITE) minor = "write"; else if (where & SSL_CB_LOOP) minor = "loop"; else if (where & SSL_CB_EXIT) minor = "exit"; else minor = "unknown"; } | | | 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 | if (where & SSL_CB_READ) minor = "read"; else if (where & SSL_CB_WRITE) minor = "write"; else if (where & SSL_CB_LOOP) minor = "loop"; else if (where & SSL_CB_EXIT) minor = "exit"; else minor = "unknown"; } /* Create command to eval with fn, chan, major, minor, message, and type args */ cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("info", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(major, -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(minor, -1)); |
︙ | ︙ | |||
314 315 316 317 318 319 320 | n = BIO_read(bio, buffer, BIO_pending(bio) < 15000 ? BIO_pending(bio) : 14999); n = (n<0) ? 0 : n; buffer[n] = 0; (void)BIO_flush(bio); BIO_free(bio); } | | | 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 | n = BIO_read(bio, buffer, BIO_pending(bio) < 15000 ? BIO_pending(bio) : 14999); n = (n<0) ? 0 : n; buffer[n] = 0; (void)BIO_flush(bio); BIO_free(bio); } /* Create command to eval with fn, chan, direction, version, type, and message args */ cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("message", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(write_p ? "Sent" : "Received", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(ver, -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(type, -1)); |
︙ | ︙ | |||
392 393 394 395 396 397 398 | } } else if (cert == NULL || ssl == NULL) { return 0; } dprintf("VerifyCallback: eval callback"); | | | 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 | } } else if (cert == NULL || ssl == NULL) { return 0; } dprintf("VerifyCallback: eval callback"); /* Create command to eval with fn, chan, depth, cert info list, status, and error args */ cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("verify", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(depth)); Tcl_ListObjAppendElement(interp, cmdPtr, Tls_NewX509Obj(interp, cert)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(ok)); |
︙ | ︙ | |||
442 443 444 445 446 447 448 | statePtr->err = msg; dprintf("Called"); if (statePtr->callback == (Tcl_Obj*)NULL) return; | | | 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 | statePtr->err = msg; dprintf("Called"); if (statePtr->callback == (Tcl_Obj*)NULL) return; /* Create command to eval with fn, chan, and message args */ cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("error", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); if (msg != NULL) { Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1)); |
︙ | ︙ | |||
532 533 534 535 536 537 538 | strncpy(buf, ret, (size_t) size); return (int)strlen(ret); } else { return -1; } } | | | 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 | strncpy(buf, ret, (size_t) size); return (int)strlen(ret); } else { return -1; } } /* Create command to eval with fn, rwflag, and size args */ cmdPtr = Tcl_DuplicateObj(statePtr->password); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("password", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(rwflag)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(size)); Tcl_Preserve((ClientData) interp); Tcl_Preserve((ClientData) statePtr); |
︙ | ︙ | |||
611 612 613 614 615 616 617 | if (statePtr->callback == (Tcl_Obj*)NULL) { return SSL_TLSEXT_ERR_OK; } else if (ssl == NULL) { return SSL_TLSEXT_ERR_NOACK; } | | | 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 | if (statePtr->callback == (Tcl_Obj*)NULL) { return SSL_TLSEXT_ERR_OK; } else if (ssl == NULL) { return SSL_TLSEXT_ERR_NOACK; } /* Create command to eval with fn, chan, session id, session ticket, and lifetime args */ cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("session", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); /* Session id */ session_id = SSL_SESSION_get_id(session, &ulen); |
︙ | ︙ | |||
688 689 690 691 692 693 694 | res = SSL_TLSEXT_ERR_NOACK; } if (statePtr->vcmd == (Tcl_Obj*)NULL) { return res; } | | | 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 | res = SSL_TLSEXT_ERR_NOACK; } if (statePtr->vcmd == (Tcl_Obj*)NULL) { return res; } /* Create command to eval with fn, chan, depth, cert info list, status, and error args */ cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("alpn", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj((const char *) *out, -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewBooleanObj(res == SSL_TLSEXT_ERR_OK)); |
︙ | ︙ | |||
801 802 803 804 805 806 807 | return SSL_TLSEXT_ERR_NOACK; } if (statePtr->vcmd == (Tcl_Obj*)NULL) { return SSL_TLSEXT_ERR_OK; } | | | 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 | return SSL_TLSEXT_ERR_NOACK; } if (statePtr->vcmd == (Tcl_Obj*)NULL) { return SSL_TLSEXT_ERR_OK; } /* Create command to eval with fn, chan, and server name args */ cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("sni", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername , -1)); /* Eval callback command */ |
︙ | ︙ | |||
903 904 905 906 907 908 909 | if (len + 2 > remaining) { *alert = SSL_R_TLSV1_ALERT_INTERNAL_ERROR; return SSL_CLIENT_HELLO_ERROR; } remaining = len; servername = (const char *)p; | | | 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 | if (len + 2 > remaining) { *alert = SSL_R_TLSV1_ALERT_INTERNAL_ERROR; return SSL_CLIENT_HELLO_ERROR; } remaining = len; servername = (const char *)p; /* Create command to eval with fn, chan, and server name args */ cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("hello", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername, (Tcl_Size) len)); /* Eval callback command */ |
︙ | ︙ | |||
985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 | ret = Tls_WaitForConnect(statePtr, &err, 1); dprintf("Tls_WaitForConnect returned: %i", ret); if (ret < 0 && ((statePtr->flags & TLS_TCL_ASYNC) && (err == EAGAIN))) { dprintf("Async set and err = EAGAIN"); ret = 0; } else if (ret < 0) { errStr = statePtr->err; Tcl_ResetResult(interp); Tcl_SetErrno(err); if (!errStr || (*errStr == 0)) { errStr = Tcl_PosixError(interp); } Tcl_AppendResult(interp, "handshake failed: ", errStr, (char *) NULL); Tcl_SetErrorCode(interp, "TLS", "HANDSHAKE", "FAILED", (char *) NULL); dprintf("Returning TCL_ERROR with handshake failed: %s", errStr); return(TCL_ERROR); } else { if (err != 0) { dprintf("Got an error with a completed handshake: err = %i", err); } | > > > > | 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 | ret = Tls_WaitForConnect(statePtr, &err, 1); dprintf("Tls_WaitForConnect returned: %i", ret); if (ret < 0 && ((statePtr->flags & TLS_TCL_ASYNC) && (err == EAGAIN))) { dprintf("Async set and err = EAGAIN"); ret = 0; } else if (ret < 0) { long result; errStr = statePtr->err; Tcl_ResetResult(interp); Tcl_SetErrno(err); if (!errStr || (*errStr == 0)) { errStr = Tcl_PosixError(interp); } Tcl_AppendResult(interp, "handshake failed: ", errStr, (char *) NULL); if ((result = SSL_get_verify_result(statePtr->ssl)) != X509_V_OK) { Tcl_AppendResult(interp, " due to \"", X509_verify_cert_error_string(result), "\"", (char *) NULL); } Tcl_SetErrorCode(interp, "TLS", "HANDSHAKE", "FAILED", (char *) NULL); dprintf("Returning TCL_ERROR with handshake failed: %s", errStr); return(TCL_ERROR); } else { if (err != 0) { dprintf("Got an error with a completed handshake: err = %i", err); } |
︙ | ︙ | |||
1044 1045 1046 1047 1048 1049 1050 | * *------------------------------------------------------------------- */ static int ImportObjCmd(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { Tcl_Channel chan; /* The channel to set a mode on. */ State *statePtr; /* client state for ssl socket */ | | | | | | | | | | | | | | | | | | | | | | 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 | * *------------------------------------------------------------------- */ static int ImportObjCmd(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { Tcl_Channel chan; /* The channel to set a mode on. */ State *statePtr; /* client state for ssl socket */ SSL_CTX *ctx = NULL; Tcl_Obj *cmdObj = NULL; Tcl_Obj *passwdObj = NULL; Tcl_Obj *vcmd = NULL; Tcl_DString upperChannelTranslation, upperChannelBlocking, upperChannelEncoding, upperChannelEOFChar; int idx; Tcl_Size fn, len; int flags = TLS_TCL_INIT; int server = 0; /* is connection incoming or outgoing? */ char *keyfile = NULL; char *certfile = NULL; unsigned char *key = NULL; Tcl_Size key_len = 0; unsigned char *cert = NULL; Tcl_Size cert_len = 0; char *ciphers = NULL; char *ciphersuites = NULL; char *CAfile = NULL; char *CApath = NULL; char *DHparams = NULL; char *model = NULL; char *servername = NULL; /* hostname for Server Name Indication */ const unsigned char *session_id = NULL; Tcl_Size sess_len = 0; Tcl_Obj *alpnObj = NULL; int ssl2 = 0, ssl3 = 0; int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1; int proto = 0, level = -1; int verify = 0, require = 0, request = 1, post_handshake = 0; (void) clientData; |
︙ | ︙ | |||
1121 1122 1123 1124 1125 1126 1127 | } switch(fn) { case _opt_alpn: alpnObj = objv[idx]; break; case _opt_cadir: | | | 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 | } switch(fn) { case _opt_alpn: alpnObj = objv[idx]; break; case _opt_cadir: GET_OPT_STRING(objv[idx], CApath, NULL); break; case _opt_cafile: GET_OPT_STRING(objv[idx], CAfile, NULL); break; case _opt_cert: GET_OPT_BYTE_ARRAY(objv[idx], cert, &cert_len); break; |
︙ | ︙ | |||
1223 1224 1225 1226 1227 1228 1229 | if (cert && !*cert) cert = NULL; if (key && !*key) key = NULL; if (certfile && !*certfile) certfile = NULL; if (keyfile && !*keyfile) keyfile = NULL; if (ciphers && !*ciphers) ciphers = NULL; if (ciphersuites && !*ciphersuites) ciphersuites = NULL; if (CAfile && !*CAfile) CAfile = NULL; | | | 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 | if (cert && !*cert) cert = NULL; if (key && !*key) key = NULL; if (certfile && !*certfile) certfile = NULL; if (keyfile && !*keyfile) keyfile = NULL; if (ciphers && !*ciphers) ciphers = NULL; if (ciphersuites && !*ciphersuites) ciphersuites = NULL; if (CAfile && !*CAfile) CAfile = NULL; if (CApath && !*CApath) CApath = NULL; if (DHparams && !*DHparams) DHparams = NULL; /* new SSL state */ statePtr = (State *) ckalloc((unsigned) sizeof(State)); memset(statePtr, 0, sizeof(State)); statePtr->flags = flags; |
︙ | ︙ | |||
1285 1286 1287 1288 1289 1290 1291 | Tcl_SetErrorCode(interp, "TLS", "IMPORT", "CHANNEL", "INVALID", (char *) NULL); Tls_Free((char *) statePtr); return TCL_ERROR; } ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx; } else { if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, cert, (int) key_len, | | | 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 | Tcl_SetErrorCode(interp, "TLS", "IMPORT", "CHANNEL", "INVALID", (char *) NULL); Tls_Free((char *) statePtr); return TCL_ERROR; } ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx; } else { if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, cert, (int) key_len, (int) cert_len, CApath, CAfile, ciphers, ciphersuites, level, DHparams)) == NULL) { Tls_Free((char *) statePtr); return TCL_ERROR; } } statePtr->ctx = ctx; |
︙ | ︙ | |||
1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 | return TCL_ERROR; } Tcl_SetChannelOption(interp, statePtr->self, "-translation", Tcl_DStringValue(&upperChannelTranslation)); Tcl_SetChannelOption(interp, statePtr->self, "-encoding", Tcl_DStringValue(&upperChannelEncoding)); Tcl_SetChannelOption(interp, statePtr->self, "-eofchar", Tcl_DStringValue(&upperChannelEOFChar)); Tcl_SetChannelOption(interp, statePtr->self, "-blocking", Tcl_DStringValue(&upperChannelBlocking)); /* * SSL Initialization */ statePtr->ssl = SSL_new(statePtr->ctx); if (!statePtr->ssl) { /* SSL library error */ | > > > > | 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 | return TCL_ERROR; } Tcl_SetChannelOption(interp, statePtr->self, "-translation", Tcl_DStringValue(&upperChannelTranslation)); Tcl_SetChannelOption(interp, statePtr->self, "-encoding", Tcl_DStringValue(&upperChannelEncoding)); Tcl_SetChannelOption(interp, statePtr->self, "-eofchar", Tcl_DStringValue(&upperChannelEOFChar)); Tcl_SetChannelOption(interp, statePtr->self, "-blocking", Tcl_DStringValue(&upperChannelBlocking)); Tcl_DStringFree(&upperChannelTranslation); Tcl_DStringFree(&upperChannelEncoding); Tcl_DStringFree(&upperChannelEOFChar); Tcl_DStringFree(&upperChannelBlocking); /* * SSL Initialization */ statePtr->ssl = SSL_new(statePtr->ctx); if (!statePtr->ssl) { /* SSL library error */ |
︙ | ︙ | |||
1568 1569 1570 1571 1572 1573 1574 | * Side effects: * constructs SSL context (CTX) * *------------------------------------------------------------------- */ static SSL_CTX * CTX_Init(State *statePtr, int isServer, int proto, char *keyfile, char *certfile, | | < | | 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 | * Side effects: * constructs SSL context (CTX) * *------------------------------------------------------------------- */ static SSL_CTX * CTX_Init(State *statePtr, int isServer, int proto, char *keyfile, char *certfile, unsigned char *key, unsigned char *cert, int key_len, int cert_len, char *CApath, char *CAfile, char *ciphers, char *ciphersuites, int level, char *DHparams) { Tcl_Interp *interp = statePtr->interp; SSL_CTX *ctx = NULL; Tcl_DString ds; int off = 0, abort = 0; int load_private_key; const SSL_METHOD *method; dprintf("Called"); if (!proto) { Tcl_AppendResult(interp, "no valid protocol selected", (char *) NULL); |
︙ | ︙ | |||
1754 1755 1756 1757 1758 1759 1760 | return NULL; } #else { DH* dh; if (DHparams != NULL) { BIO *bio; | < | 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 | return NULL; } #else { DH* dh; if (DHparams != NULL) { BIO *bio; bio = BIO_new_file(F2N(DHparams, &ds), "r"); if (!bio) { Tcl_DStringFree(&ds); Tcl_AppendResult(interp, "Could not find DH parameters file", (char *) NULL); SSL_CTX_free(ctx); return NULL; } |
︙ | ︙ | |||
1790 1791 1792 1793 1794 1795 1796 | #endif /* set our certificate */ load_private_key = 0; if (certfile != NULL) { load_private_key = 1; | < < > > < > < | 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 | #endif /* set our certificate */ load_private_key = 0; if (certfile != NULL) { load_private_key = 1; if (SSL_CTX_use_certificate_file(ctx, F2N(certfile, &ds), SSL_FILETYPE_PEM) <= 0) { Tcl_DStringFree(&ds); Tcl_AppendResult(interp, "unable to set certificate file ", certfile, ": ", GET_ERR_REASON(), (char *) NULL); SSL_CTX_free(ctx); return NULL; } Tcl_DStringFree(&ds); } else if (cert != NULL) { load_private_key = 1; if (SSL_CTX_use_certificate_ASN1(ctx, cert_len, cert) <= 0) { Tcl_AppendResult(interp, "unable to set certificate: ", GET_ERR_REASON(), (char *) NULL); SSL_CTX_free(ctx); return NULL; } } else { certfile = (char*)X509_get_default_cert_file(); if (SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM) <= 0) { #if 0 Tcl_AppendResult(interp, "unable to use default certificate file ", certfile, ": ", GET_ERR_REASON(), (char *) NULL); SSL_CTX_free(ctx); return NULL; #endif } } |
︙ | ︙ | |||
1847 1848 1849 1850 1851 1852 1853 | SSL_CTX_free(ctx); return NULL; } Tcl_DStringFree(&ds); } else if (key != NULL) { if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, ctx, key,key_len) <= 0) { | < | < < < < | < | | > > > > > > > > | < < > > | | | > > > > > > > > > | > > > > > > > > > > > > | > > | > > > > < < < < < < < < < < < | 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 | SSL_CTX_free(ctx); return NULL; } Tcl_DStringFree(&ds); } else if (key != NULL) { if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, ctx, key,key_len) <= 0) { /* flush the passphrase which might be left in the result */ Tcl_SetResult(interp, NULL, TCL_STATIC); Tcl_AppendResult(interp, "unable to set public key: ", GET_ERR_REASON(), (char *) NULL); SSL_CTX_free(ctx); return NULL; } } /* Now we know that a key and cert have been set against * the SSL context */ if (!SSL_CTX_check_private_key(ctx)) { Tcl_AppendResult(interp, "private key does not match the certificate public key", (char *) NULL); SSL_CTX_free(ctx); return NULL; } } /* Set to use default location and file for Certificate Authority (CA) certificates. The * verify path and store can be overridden by the SSL_CERT_DIR env var. The verify file can * be overridden by the SSL_CERT_FILE env var. */ if (!SSL_CTX_set_default_verify_paths(ctx)) { abort++; } /* Overrides for the CA verify path and file */ { #if OPENSSL_VERSION_NUMBER < 0x30000000L if (CApath != NULL || CAfile != NULL) { Tcl_DString ds1; if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CApath, &ds1))) { abort++; } Tcl_DStringFree(&ds); Tcl_DStringFree(&ds1); /* Set list of CAs to send to client when requesting a client certificate */ /* https://sourceforge.net/p/tls/bugs/57/ */ /* XXX:TODO: Let the user supply values here instead of something that exists on the filesystem */ STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds)); if (certNames != NULL) { SSL_CTX_set_client_CA_list(ctx, certNames); } Tcl_DStringFree(&ds); } #else if (CApath != NULL) { if (!SSL_CTX_load_verify_dir(ctx, F2N(CApath, &ds))) { abort++; } Tcl_DStringFree(&ds); } if (CAfile != NULL) { if (!SSL_CTX_load_verify_file(ctx, F2N(CAfile, &ds))) { abort++; } Tcl_DStringFree(&ds); /* Set list of CAs to send to client when requesting a client certificate */ STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds)); if (certNames != NULL) { SSL_CTX_set_client_CA_list(ctx, certNames); } Tcl_DStringFree(&ds); } #endif } return ctx; } /* *------------------------------------------------------------------- * * StatusObjCmd -- return certificate for connected peer. |
︙ | ︙ |
Modified generic/tlsIO.c
from [7b8e3f850c]
to [bf4be12b9f].
︙ | ︙ | |||
161 162 163 164 165 166 167 | dprintf("Accept or connect failed"); } rc = SSL_get_error(statePtr->ssl, err); backingError = ERR_get_error(); if (rc != SSL_ERROR_NONE) { dprintf("Got error: %i (rc = %i)", err, rc); | | | 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 | dprintf("Accept or connect failed"); } rc = SSL_get_error(statePtr->ssl, err); backingError = ERR_get_error(); if (rc != SSL_ERROR_NONE) { dprintf("Got error: %i (rc = %i)", err, rc); dprintf("Got error: %s", ERR_reason_error_string(backingError)); } bioShouldRetry = 0; if (err <= 0) { if (rc == SSL_ERROR_WANT_CONNECT || rc == SSL_ERROR_WANT_ACCEPT || rc == SSL_ERROR_WANT_READ || rc == SSL_ERROR_WANT_WRITE) { bioShouldRetry = 1; } else if (BIO_should_retry(statePtr->bio)) { |
︙ | ︙ | |||
185 186 187 188 189 190 191 192 193 194 195 196 197 198 | if (bioShouldRetry) { dprintf("The I/O did not complete -- but we should try it again"); if (statePtr->flags & TLS_TCL_ASYNC) { dprintf("Returning EAGAIN so that it can be retried later"); *errorCodePtr = EAGAIN; return(-1); } else { dprintf("Doing so now"); continue; } } | > | 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 | if (bioShouldRetry) { dprintf("The I/O did not complete -- but we should try it again"); if (statePtr->flags & TLS_TCL_ASYNC) { dprintf("Returning EAGAIN so that it can be retried later"); *errorCodePtr = EAGAIN; Tls_Error(statePtr, "Handshake not complete, will retry later"); return(-1); } else { dprintf("Doing so now"); continue; } } |
︙ | ︙ | |||
224 225 226 227 228 229 230 | } else if (backingError == 0 && err == -1) { dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno()); *errorCodePtr = Tcl_GetErrno(); if (*errorCodePtr == ECONNRESET) { *errorCodePtr = ECONNABORTED; } | | | > > > < < < | 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 | } else if (backingError == 0 && err == -1) { dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno()); *errorCodePtr = Tcl_GetErrno(); if (*errorCodePtr == ECONNRESET) { *errorCodePtr = ECONNABORTED; } Tls_Error(statePtr, (char *) Tcl_ErrnoMsg(*errorCodePtr)); } else { dprintf("I/O error occurred (backingError = %lu)", backingError); *errorCodePtr = Tcl_GetErrno(); if (*errorCodePtr == ECONNRESET) { *errorCodePtr = ECONNABORTED; } Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError)); } statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; return(-1); case SSL_ERROR_SSL: /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */ dprintf("SSL_ERROR_SSL: Got permanent fatal SSL error, aborting immediately"); if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) { Tls_Error(statePtr, (char *) X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl))); } if (backingError != 0) { Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError)); } statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; *errorCodePtr = ECONNABORTED; return(-1); case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: case SSL_ERROR_WANT_X509_LOOKUP: |
︙ | ︙ | |||
363 364 365 366 367 368 369 370 371 372 373 374 375 376 | break; case SSL_ERROR_SSL: /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */ dprintf("SSL error, indicating that the connection has been aborted"); if (backingError != 0) { Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError)); } *errorCodePtr = ECONNABORTED; bytesRead = -1; #if OPENSSL_VERSION_NUMBER >= 0x30000000L /* Unexpected EOF from the peer for OpenSSL 3.0+ */ if (ERR_GET_REASON(backingError) == SSL_R_UNEXPECTED_EOF_WHILE_READING) { | > > > > | 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 | break; case SSL_ERROR_SSL: /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */ dprintf("SSL error, indicating that the connection has been aborted"); if (backingError != 0) { Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError)); } else if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) { Tls_Error(statePtr, (char *) X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl))); } else { Tls_Error(statePtr, "Unknown SSL error"); } *errorCodePtr = ECONNABORTED; bytesRead = -1; #if OPENSSL_VERSION_NUMBER >= 0x30000000L /* Unexpected EOF from the peer for OpenSSL 3.0+ */ if (ERR_GET_REASON(backingError) == SSL_R_UNEXPECTED_EOF_WHILE_READING) { |
︙ | ︙ | |||
391 392 393 394 395 396 397 | bytesRead = 0; Tls_Error(statePtr, "EOF reached"); } else if (backingError == 0 && bytesRead == -1) { dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno()); *errorCodePtr = Tcl_GetErrno(); bytesRead = -1; | | | | 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 | bytesRead = 0; Tls_Error(statePtr, "EOF reached"); } else if (backingError == 0 && bytesRead == -1) { dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno()); *errorCodePtr = Tcl_GetErrno(); bytesRead = -1; Tls_Error(statePtr, (char *) Tcl_ErrnoMsg(*errorCodePtr)); } else { dprintf("I/O error occurred (backingError = %lu)", backingError); *errorCodePtr = Tcl_GetErrno(); bytesRead = -1; Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError)); } break; case SSL_ERROR_ZERO_RETURN: dprintf("Got SSL_ERROR_ZERO_RETURN, this means an EOF has been reached"); |
︙ | ︙ | |||
419 420 421 422 423 424 425 426 427 428 | Tls_Error(statePtr, "SSL_ERROR_WANT_READ"); break; default: dprintf("Unknown error (err = %i), mapping to EOF", err); *errorCodePtr = 0; bytesRead = 0; break; } | > < < < | 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 | Tls_Error(statePtr, "SSL_ERROR_WANT_READ"); break; default: dprintf("Unknown error (err = %i), mapping to EOF", err); *errorCodePtr = 0; bytesRead = 0; Tls_Error(statePtr, "Unknown error"); break; } dprintf("Input(%d) -> %d [%d]", bufSize, bytesRead, *errorCodePtr); return(bytesRead); } /* *------------------------------------------------------------------- * |
︙ | ︙ | |||
486 487 488 489 490 491 492 493 494 495 496 497 498 499 | if (toWrite == 0) { dprintf("zero-write"); err = BIO_flush(statePtr->bio); if (err <= 0) { dprintf("Flushing failed"); *errorCodePtr = EIO; written = 0; return(-1); } written = 0; | > | 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 | if (toWrite == 0) { dprintf("zero-write"); err = BIO_flush(statePtr->bio); if (err <= 0) { dprintf("Flushing failed"); Tls_Error(statePtr, "Flush failed"); *errorCodePtr = EIO; written = 0; return(-1); } written = 0; |
︙ | ︙ | |||
558 559 560 561 562 563 564 | written = 0; Tls_Error(statePtr, "EOF reached"); } else if (backingError == 0 && written == -1) { dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno()); *errorCodePtr = Tcl_GetErrno(); written = -1; | | | > > > > > < < < | 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 | written = 0; Tls_Error(statePtr, "EOF reached"); } else if (backingError == 0 && written == -1) { dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno()); *errorCodePtr = Tcl_GetErrno(); written = -1; Tls_Error(statePtr, (char *) Tcl_ErrnoMsg(*errorCodePtr)); } else { dprintf("I/O error occurred (backingError = %lu)", backingError); *errorCodePtr = Tcl_GetErrno(); written = -1; Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError)); } break; case SSL_ERROR_SSL: /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */ dprintf("SSL error, indicating that the connection has been aborted"); if (backingError != 0) { Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError)); } else if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) { Tls_Error(statePtr, (char *) X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl))); } else { Tls_Error(statePtr, "Unknown SSL error"); } *errorCodePtr = ECONNABORTED; written = -1; break; default: dprintf("unknown error: %d", err); Tls_Error(statePtr, "Unknown error"); break; } dprintf("Output(%d) -> %d", toWrite, written); return(written); } /* *------------------------------------------------------------------- * |
︙ | ︙ |
Modified tests/README.txt
from [673cb36188]
to [dc27a7e2a2].
1 2 | Create Test Cases | | | < | > | | > | > > > > > | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | Create Test Cases 1. Create the test case *.csv file. You can use multiple files. Generally it's a good idea to group like functions in the same file. 2. Add test cases to *.csv files. Each test case is on a separate line. The column titles correspond to the tcltest tool options. Leave a column blank if not used. 3. Define any common functions in a common.tcl or in *.csv file. 4. To create the test cases script, execute make_test_files.tcl. This will use the *.csv files to create the *.test files. Execute Test Suite 5. To run the test suite, execute the all.tcl file. Special Notes On systems that don't use a standard OpenSSL installation, the following environment variables can be used to set SSL cert info: SSL_CERT_FILE = Set to file with SSL CA certificates in OpenSSL compatible format. The usual file name is /path/to/cacert.pem. SSL_CERT_DIR = Path to directory with CA files. |
Modified tests/badssl.csv
from [152d5864b6]
to [0bcd6b3e35].
1 2 3 | # Group,Name,Constraints,Setup,Body,Cleanup,Match,Result,Output,Error Output,Return Codes command,package require tls,,,,,,,,, ,,,,,,,,,, | < < < | | | > | > | > | > | | | | | | | | | | | | | | > | > | | | | > | | > | > | > | | > | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 | # Group,Name,Constraints,Setup,Body,Cleanup,Match,Result,Output,Error Output,Return Codes command,package require tls,,,,,,,,, ,,,,,,,,,, command,# Constraints,,,,,,,,, command,source [file join [file dirname [info script]] common.tcl],,,,,,,,, ,,,,,,,,,, command,# Helper functions,,,,,,,,, command,"proc badssl {url} {set port 443;lassign [split $url "":""] url port;if {$port eq """"} {set port 443};set cmd [list tls::socket -autoservername 1 -require 1];if {[info exists ::env(SSL_CERT_FILE)]} {lappend cmd -cafile $::env(SSL_CERT_FILE)};lappend cmd $url $port;set ch [eval $cmd];if {[catch {tls::handshake $ch} err]} {close $ch;return -code error $err} else {close $ch}}",,,,,,,,, ,,,,,,,,,, command,# BadSSL.com Tests,,,,,,,,, BadSSL,1000-sans,,,badssl 1000-sans.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 BadSSL,10000-sans,,,badssl 10000-sans.badssl.com,,,handshake failed: excessive message size,,,1 BadSSL,3des,,,badssl 3des.badssl.com,,,handshake failed: sslv3 alert handshake failure,,,1 BadSSL,captive-portal,old_api,,badssl captive-portal.badssl.com,,,"handshake failed: certificate verify failed due to ""Hostname mismatch""",,,1 BadSSL,captive-portal,new_api,,badssl captive-portal.badssl.com,,,"handshake failed: certificate verify failed due to ""hostname mismatch""",,,1 BadSSL,cbc,,,badssl cbc.badssl.com,,,,,, BadSSL,client-cert-missing,,,badssl client-cert-missing.badssl.com,,,,,, BadSSL,client,,,badssl client.badssl.com,,,,,, BadSSL,dh-composite,old_api,,badssl dh-composite.badssl.com,,,,,, BadSSL,dh-composite,new_api,,badssl dh-composite.badssl.com,,,handshake failed: dh key too small,,,1 BadSSL,dh-small-subgroup,,,badssl dh-small-subgroup.badssl.com,,,,,, BadSSL,dh480,old_api,,badssl dh480.badssl.com,,,handshake failed: dh key too small,,,1 BadSSL,dh480,new_api,,badssl dh480.badssl.com,,,handshake failed: modulus too small,,,1 BadSSL,dh512,,,badssl dh512.badssl.com,,,handshake failed: dh key too small,,,1 BadSSL,dh1024,old_api,,badssl dh1024.badssl.com,,,,,, BadSSL,dh1024,new_api,,badssl dh1024.badssl.com,,,handshake failed: dh key too small,,,1 BadSSL,dh2048,,,badssl dh2048.badssl.com,,,,,, BadSSL,dsdtestprovider,,,badssl dsdtestprovider.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,ecc256,,,badssl ecc256.badssl.com,,,,,, BadSSL,ecc384,,,badssl ecc384.badssl.com,,,,,, BadSSL,edellroot,,,badssl edellroot.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,expired,,,badssl expired.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 BadSSL,extended-validation,,,badssl extended-validation.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 BadSSL,hsts,,,badssl hsts.badssl.com,,,,,, BadSSL,https-everywhere,,,badssl https-everywhere.badssl.com,,,,,, BadSSL,incomplete-chain,,,badssl incomplete-chain.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,invalid-expected-sct,,,badssl invalid-expected-sct.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,long-extended-subdomain-name-containing-many-letters-and-dashes,,,badssl long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com,,,,,, BadSSL,longextendedsubdomainnamewithoutdashesinordertotestwordwrapping,,,badssl longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com,,,,,, BadSSL,mitm-software,,,badssl mitm-software.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,no-common-name,,,badssl no-common-name.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 BadSSL,no-sct,,,badssl no-sct.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,no-subject,,,badssl no-subject.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 BadSSL,null,,,badssl null.badssl.com,,,handshake failed: sslv3 alert handshake failure,,,1 BadSSL,pinning-test,,,badssl pinning-test.badssl.com,,,,,, BadSSL,preact-cli,,,badssl preact-cli.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,preloaded-hsts,,,badssl preloaded-hsts.badssl.com,,,,,, BadSSL,rc4-md5,,,badssl rc4-md5.badssl.com,,,handshake failed: sslv3 alert handshake failure,,,1 BadSSL,rc4,,,badssl rc4.badssl.com,,,handshake failed: sslv3 alert handshake failure,,,1 BadSSL,revoked,,,badssl revoked.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 BadSSL,rsa2048,,,badssl rsa2048.badssl.com,,,,,, BadSSL,rsa4096,,,badssl rsa4096.badssl.com,,,,,, BadSSL,rsa8192,,,badssl rsa8192.badssl.com,,,,,, BadSSL,self-signed,old_api,,badssl self-signed.badssl.com,,,"handshake failed: certificate verify failed due to ""self signed certificate""",,,1 BadSSL,self-signed,new_api,,badssl self-signed.badssl.com,,,"handshake failed: certificate verify failed due to ""self-signed certificate""",,,1 BadSSL,sha1-2016,,,badssl sha1-2016.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,sha1-2017,old_api,,badssl sha1-2017.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 BadSSL,sha1-2017,new_api,,badssl sha1-2017.badssl.com,,,"handshake failed: certificate verify failed due to ""CA signature digest algorithm too weak""",,,1 BadSSL,sha1-intermediate,,,badssl sha1-intermediate.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,sha256,,,badssl sha256.badssl.com,,,,,, BadSSL,sha384,,,badssl sha384.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 BadSSL,sha512,,,badssl sha512.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 BadSSL,static-rsa,,,badssl static-rsa.badssl.com,,,,,, BadSSL,subdomain.preloaded-hsts,old_api,,badssl subdomain.preloaded-hsts.badssl.com,,,"handshake failed: certificate verify failed due to ""Hostname mismatch""",,,1 BadSSL,subdomain.preloaded-hsts,new_api,,badssl subdomain.preloaded-hsts.badssl.com,,,"handshake failed: certificate verify failed due to ""hostname mismatch""",,,1 BadSSL,superfish,,,badssl superfish.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,tls-v1-0:1010,tls1 old_api,,badssl tls-v1-0.badssl.com:1010,,,,,, BadSSL,tls-v1-0:1010,tls1 new_api,,badssl tls-v1-0.badssl.com:1010,,,handshake failed: unsupported protocol,,,1 BadSSL,tls-v1-1:1011,tls1.1 old_api,,badssl tls-v1-1.badssl.com:1011,,,,,, BadSSL,tls-v1-1:1011,tls1.1 new_api,,badssl tls-v1-1.badssl.com:1011,,,handshake failed: unsupported protocol,,,1 BadSSL,tls-v1-2:1012,tls1.2,,badssl tls-v1-2.badssl.com:1012,,,,,, BadSSL,untrusted-root,old_api,,badssl untrusted-root.badssl.com,,,"handshake failed: certificate verify failed due to ""self signed certificate in certificate chain""",,,1 BadSSL,untrusted-root,new_api,,badssl untrusted-root.badssl.com,,,"handshake failed: certificate verify failed due to ""self-signed certificate in certificate chain""",,,1 BadSSL,upgrade,,,badssl upgrade.badssl.com,,,,,, BadSSL,webpack-dev-server,,,badssl webpack-dev-server.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,wrong.host,old_api,,badssl wrong.host.badssl.com,,,"handshake failed: certificate verify failed due to ""Hostname mismatch""",,,1 BadSSL,wrong.host,new_api,,badssl wrong.host.badssl.com,,,"handshake failed: certificate verify failed due to ""hostname mismatch""",,,1 BadSSL,mozilla-modern,,,badssl mozilla-modern.badssl.com,,,,,, |
Modified tests/badssl.test
from [62a312d78a]
to [4b748d171a].
1 2 3 4 5 6 7 8 9 10 11 12 | # Auto generated test cases for badssl.csv # Load Tcl Test package if {[lsearch [namespace children] ::tcltest] == -1} { package require tcltest namespace import ::tcltest::* } set auto_path [concat [list [file dirname [file dirname [info script]]]] $auto_path] package require tls | < < < | | | | | > > > > | | | > > > > | | > > > > | | > > > > | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | > > > | > | | | | | > > > > | | | | | | | | > | > > > | | | | > > > > | > > > > | > | > > > | | | > > > > | | | | | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 | # Auto generated test cases for badssl.csv # Load Tcl Test package if {[lsearch [namespace children] ::tcltest] == -1} { package require tcltest namespace import ::tcltest::* } set auto_path [concat [list [file dirname [file dirname [info script]]]] $auto_path] package require tls # Constraints source [file join [file dirname [info script]] common.tcl] # Helper functions proc badssl {url} {set port 443;lassign [split $url ":"] url port;if {$port eq ""} {set port 443};set cmd [list tls::socket -autoservername 1 -require 1];if {[info exists ::env(SSL_CERT_FILE)]} {lappend cmd -cafile $::env(SSL_CERT_FILE)};lappend cmd $url $port;set ch [eval $cmd];if {[catch {tls::handshake $ch} err]} {close $ch;return -code error $err} else {close $ch}} # BadSSL.com Tests test BadSSL-1.1 {1000-sans} -body { badssl 1000-sans.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} test BadSSL-1.2 {10000-sans} -body { badssl 10000-sans.badssl.com } -result {handshake failed: excessive message size} -returnCodes {1} test BadSSL-1.3 {3des} -body { badssl 3des.badssl.com } -result {handshake failed: sslv3 alert handshake failure} -returnCodes {1} test BadSSL-1.4 {captive-portal} -constraints {old_api} -body { badssl captive-portal.badssl.com } -result {handshake failed: certificate verify failed due to "Hostname mismatch"} -returnCodes {1} test BadSSL-1.5 {captive-portal} -constraints {new_api} -body { badssl captive-portal.badssl.com } -result {handshake failed: certificate verify failed due to "hostname mismatch"} -returnCodes {1} test BadSSL-1.6 {cbc} -body { badssl cbc.badssl.com } test BadSSL-1.7 {client-cert-missing} -body { badssl client-cert-missing.badssl.com } test BadSSL-1.8 {client} -body { badssl client.badssl.com } test BadSSL-1.9 {dh-composite} -constraints {old_api} -body { badssl dh-composite.badssl.com } test BadSSL-1.10 {dh-composite} -constraints {new_api} -body { badssl dh-composite.badssl.com } -result {handshake failed: dh key too small} -returnCodes {1} test BadSSL-1.11 {dh-small-subgroup} -body { badssl dh-small-subgroup.badssl.com } test BadSSL-1.12 {dh480} -constraints {old_api} -body { badssl dh480.badssl.com } -result {handshake failed: dh key too small} -returnCodes {1} test BadSSL-1.13 {dh480} -constraints {new_api} -body { badssl dh480.badssl.com } -result {handshake failed: modulus too small} -returnCodes {1} test BadSSL-1.14 {dh512} -body { badssl dh512.badssl.com } -result {handshake failed: dh key too small} -returnCodes {1} test BadSSL-1.15 {dh1024} -constraints {old_api} -body { badssl dh1024.badssl.com } test BadSSL-1.16 {dh1024} -constraints {new_api} -body { badssl dh1024.badssl.com } -result {handshake failed: dh key too small} -returnCodes {1} test BadSSL-1.17 {dh2048} -body { badssl dh2048.badssl.com } test BadSSL-1.18 {dsdtestprovider} -body { badssl dsdtestprovider.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} test BadSSL-1.19 {ecc256} -body { badssl ecc256.badssl.com } test BadSSL-1.20 {ecc384} -body { badssl ecc384.badssl.com } test BadSSL-1.21 {edellroot} -body { badssl edellroot.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} test BadSSL-1.22 {expired} -body { badssl expired.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} test BadSSL-1.23 {extended-validation} -body { badssl extended-validation.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} test BadSSL-1.24 {hsts} -body { badssl hsts.badssl.com } test BadSSL-1.25 {https-everywhere} -body { badssl https-everywhere.badssl.com } test BadSSL-1.26 {incomplete-chain} -body { badssl incomplete-chain.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} test BadSSL-1.27 {invalid-expected-sct} -body { badssl invalid-expected-sct.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} test BadSSL-1.28 {long-extended-subdomain-name-containing-many-letters-and-dashes} -body { badssl long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com } test BadSSL-1.29 {longextendedsubdomainnamewithoutdashesinordertotestwordwrapping} -body { badssl longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com } test BadSSL-1.30 {mitm-software} -body { badssl mitm-software.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} test BadSSL-1.31 {no-common-name} -body { badssl no-common-name.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} test BadSSL-1.32 {no-sct} -body { badssl no-sct.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} test BadSSL-1.33 {no-subject} -body { badssl no-subject.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} test BadSSL-1.34 {null} -body { badssl null.badssl.com } -result {handshake failed: sslv3 alert handshake failure} -returnCodes {1} test BadSSL-1.35 {pinning-test} -body { badssl pinning-test.badssl.com } test BadSSL-1.36 {preact-cli} -body { badssl preact-cli.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} test BadSSL-1.37 {preloaded-hsts} -body { badssl preloaded-hsts.badssl.com } test BadSSL-1.38 {rc4-md5} -body { badssl rc4-md5.badssl.com } -result {handshake failed: sslv3 alert handshake failure} -returnCodes {1} test BadSSL-1.39 {rc4} -body { badssl rc4.badssl.com } -result {handshake failed: sslv3 alert handshake failure} -returnCodes {1} test BadSSL-1.40 {revoked} -body { badssl revoked.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} test BadSSL-1.41 {rsa2048} -body { badssl rsa2048.badssl.com } test BadSSL-1.42 {rsa4096} -body { badssl rsa4096.badssl.com } test BadSSL-1.43 {rsa8192} -body { badssl rsa8192.badssl.com } test BadSSL-1.44 {self-signed} -constraints {old_api} -body { badssl self-signed.badssl.com } -result {handshake failed: certificate verify failed due to "self signed certificate"} -returnCodes {1} test BadSSL-1.45 {self-signed} -constraints {new_api} -body { badssl self-signed.badssl.com } -result {handshake failed: certificate verify failed due to "self-signed certificate"} -returnCodes {1} test BadSSL-1.46 {sha1-2016} -body { badssl sha1-2016.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} test BadSSL-1.47 {sha1-2017} -constraints {old_api} -body { badssl sha1-2017.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} test BadSSL-1.48 {sha1-2017} -constraints {new_api} -body { badssl sha1-2017.badssl.com } -result {handshake failed: certificate verify failed due to "CA signature digest algorithm too weak"} -returnCodes {1} test BadSSL-1.49 {sha1-intermediate} -body { badssl sha1-intermediate.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} test BadSSL-1.50 {sha256} -body { badssl sha256.badssl.com } test BadSSL-1.51 {sha384} -body { badssl sha384.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} test BadSSL-1.52 {sha512} -body { badssl sha512.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} test BadSSL-1.53 {static-rsa} -body { badssl static-rsa.badssl.com } test BadSSL-1.54 {subdomain.preloaded-hsts} -constraints {old_api} -body { badssl subdomain.preloaded-hsts.badssl.com } -result {handshake failed: certificate verify failed due to "Hostname mismatch"} -returnCodes {1} test BadSSL-1.55 {subdomain.preloaded-hsts} -constraints {new_api} -body { badssl subdomain.preloaded-hsts.badssl.com } -result {handshake failed: certificate verify failed due to "hostname mismatch"} -returnCodes {1} test BadSSL-1.56 {superfish} -body { badssl superfish.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} test BadSSL-1.57 {tls-v1-0:1010} -constraints {tls1 old_api} -body { badssl tls-v1-0.badssl.com:1010 } test BadSSL-1.58 {tls-v1-0:1010} -constraints {tls1 new_api} -body { badssl tls-v1-0.badssl.com:1010 } -result {handshake failed: unsupported protocol} -returnCodes {1} test BadSSL-1.59 {tls-v1-1:1011} -constraints {tls1.1 old_api} -body { badssl tls-v1-1.badssl.com:1011 } test BadSSL-1.60 {tls-v1-1:1011} -constraints {tls1.1 new_api} -body { badssl tls-v1-1.badssl.com:1011 } -result {handshake failed: unsupported protocol} -returnCodes {1} test BadSSL-1.61 {tls-v1-2:1012} -constraints {tls1.2} -body { badssl tls-v1-2.badssl.com:1012 } test BadSSL-1.62 {untrusted-root} -constraints {old_api} -body { badssl untrusted-root.badssl.com } -result {handshake failed: certificate verify failed due to "self signed certificate in certificate chain"} -returnCodes {1} test BadSSL-1.63 {untrusted-root} -constraints {new_api} -body { badssl untrusted-root.badssl.com } -result {handshake failed: certificate verify failed due to "self-signed certificate in certificate chain"} -returnCodes {1} test BadSSL-1.64 {upgrade} -body { badssl upgrade.badssl.com } test BadSSL-1.65 {webpack-dev-server} -body { badssl webpack-dev-server.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} test BadSSL-1.66 {wrong.host} -constraints {old_api} -body { badssl wrong.host.badssl.com } -result {handshake failed: certificate verify failed due to "Hostname mismatch"} -returnCodes {1} test BadSSL-1.67 {wrong.host} -constraints {new_api} -body { badssl wrong.host.badssl.com } -result {handshake failed: certificate verify failed due to "hostname mismatch"} -returnCodes {1} test BadSSL-1.68 {mozilla-modern} -body { badssl mozilla-modern.badssl.com } # Cleanup ::tcltest::cleanupTests return |
Modified tests/common.tcl
from [019f917847]
to [3f4b3346c0].
︙ | ︙ | |||
16 17 18 19 20 21 22 | # OpenSSL version ::tcltest::testConstraint OpenSSL [string match "OpenSSL*" [::tls::version]] # Legacy OpenSSL v1.1.1 vs new v3.x scan [lindex [split [::tls::version]] 1] %f version ::tcltest::testConstraint new_api [expr {$version >= 3.0}] | > > > > > > | 16 17 18 19 20 21 22 23 24 25 26 27 28 | # OpenSSL version ::tcltest::testConstraint OpenSSL [string match "OpenSSL*" [::tls::version]] # Legacy OpenSSL v1.1.1 vs new v3.x scan [lindex [split [::tls::version]] 1] %f version ::tcltest::testConstraint new_api [expr {$version >= 3.0}] ::tcltest::testConstraint old_api [expr {$version < 3.0}] # Load legacy provider if {$version >= 3.0} { tls::provider legacy } |
Modified tests/digest.csv
from [e953e823d3]
to [3371cf815e].
1 2 3 4 | # Group,Name,Constraints,Setup,Body,Cleanup,Match,Result,Output,Error Output,Return Codes command,package require tls,,,,,,,,, ,,,,,,,,,, command,# Constraints,,,,,,,,, | | > | 1 2 3 4 5 6 7 8 9 10 11 12 13 | # Group,Name,Constraints,Setup,Body,Cleanup,Match,Result,Output,Error Output,Return Codes command,package require tls,,,,,,,,, ,,,,,,,,,, command,# Constraints,,,,,,,,, command,"::tcltest::testConstraint md4 [expr {""md4"" in [::tls::digests]}]",,,,,,,,, command,catch {tls::provider legacy},,,,,,,,, ,,,,,,,,,, command,# Helper functions - See common.tcl,,,,,,,,, command,proc digest_read_chan {cmd filename args} {;set ch [open $filename rb];set bsize [fconfigure $ch -buffersize];set new [$cmd {*}$args -chan $ch];while {![eof $new]} {set md [read $new $bsize]};close $new;return $md},,,,,,,,, command,proc digest_write_chan {cmd filename data args} {;set ch [open $filename wb];set new [$cmd {*}$args -chan $ch];puts -nonewline $new $data;flush $new;close $new;set ch [open $filename rb];set md [read $ch];close $ch;return $md},,,,,,,,, command,proc digest_accumulate {string args} {;set cmd [{*}$args -command dcmd]; $cmd update [string range $string 0 20];$cmd update [string range $string 21 end];return [$cmd finalize]},$cmd update [string range $string 0 20];$cmd update [string range $string 21 end];return [$cmd finalize]},,,,,,,, ,,,,,,,,,, command,"set test_data ""Example string for message digest tests.\n""",,,,,,,,, |
︙ | ︙ |
Modified tests/digest.test
from [ee7d628a1a]
to [cdebbb86d7].
︙ | ︙ | |||
8 9 10 11 12 13 14 15 16 17 18 19 20 21 | set auto_path [concat [list [file dirname [file dirname [info script]]]] $auto_path] package require tls # Constraints ::tcltest::testConstraint md4 [expr {"md4" in [::tls::digests]}] # Helper functions - See common.tcl proc digest_read_chan {cmd filename args} {;set ch [open $filename rb];set bsize [fconfigure $ch -buffersize];set new [$cmd {*}$args -chan $ch];while {![eof $new]} {set md [read $new $bsize]};close $new;return $md} proc digest_write_chan {cmd filename data args} {;set ch [open $filename wb];set new [$cmd {*}$args -chan $ch];puts -nonewline $new $data;flush $new;close $new;set ch [open $filename rb];set md [read $ch];close $ch;return $md} proc digest_accumulate {string args} {;set cmd [{*}$args -command dcmd]; $cmd update [string range $string 0 20];$cmd update [string range $string 21 end];return [$cmd finalize]} set test_data "Example string for message digest tests.\n" | > | 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | set auto_path [concat [list [file dirname [file dirname [info script]]]] $auto_path] package require tls # Constraints ::tcltest::testConstraint md4 [expr {"md4" in [::tls::digests]}] catch {tls::provider legacy} # Helper functions - See common.tcl proc digest_read_chan {cmd filename args} {;set ch [open $filename rb];set bsize [fconfigure $ch -buffersize];set new [$cmd {*}$args -chan $ch];while {![eof $new]} {set md [read $new $bsize]};close $new;return $md} proc digest_write_chan {cmd filename data args} {;set ch [open $filename wb];set new [$cmd {*}$args -chan $ch];puts -nonewline $new $data;flush $new;close $new;set ch [open $filename rb];set md [read $ch];close $ch;return $md} proc digest_accumulate {string args} {;set cmd [{*}$args -command dcmd]; $cmd update [string range $string 0 20];$cmd update [string range $string 21 end];return [$cmd finalize]} set test_data "Example string for message digest tests.\n" |
︙ | ︙ |