Overview
| Comment: | Integrated OpenSSL 1.1 patches |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA1: |
a23ed6f30968a6ef3d47d7759758a4e6 |
| User & Date: | rkeene on 2016-12-08 07:37:52 |
| Other Links: | manifest | tags |
Context
|
2016-12-08
| ||
| 08:35 | Updated protocol negotiation test to use newer versions of TLS since SSLv3 is becoming less supported check-in: 2de09464e0 user: rkeene tags: trunk | |
| 07:37 | Integrated OpenSSL 1.1 patches check-in: a23ed6f309 user: rkeene tags: trunk | |
| 07:35 | Remove a version number fixups Closed-Leaf check-in: ec53c2b85e user: rkeene tags: openssl-1.1 | |
| 04:26 | Merged in work for TclTLS 1.7 to trunk check-in: 0409513536 user: rkeene tags: trunk | |
Changes
Modified aclocal/tcltls_openssl.m4 from [1d5f994f6e] to [b0fa31c047].
| ︙ | ︙ | |||
115 116 117 118 119 120 121 122 123 124 125 |
CPPFLAGS="${SAVE_CPPFLAGS} ${TCLTLS_SSL_CPPFLAGS}"
dnl Verify that basic functionality is there
AC_LANG_PUSH(C)
AC_MSG_CHECKING([if a basic OpenSSL program works])
AC_LINK_IFELSE([AC_LANG_PROGRAM([
#include <openssl/ssl.h>
#if (SSLEAY_VERSION_NUMBER >= 0x0907000L)
# include <openssl/conf.h>
#endif
], [
| > | < | 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 |
CPPFLAGS="${SAVE_CPPFLAGS} ${TCLTLS_SSL_CPPFLAGS}"
dnl Verify that basic functionality is there
AC_LANG_PUSH(C)
AC_MSG_CHECKING([if a basic OpenSSL program works])
AC_LINK_IFELSE([AC_LANG_PROGRAM([
#include <openssl/ssl.h>
#include <openssl/opensslv.h>
#if (SSLEAY_VERSION_NUMBER >= 0x0907000L)
# include <openssl/conf.h>
#endif
], [
SSL_library_init();
SSL_load_error_strings();
])], [
AC_MSG_RESULT([yes])
], [
AC_MSG_RESULT([no])
AC_MSG_ERROR([Unable to compile a basic program using OpenSSL])
])
AC_LANG_POP([C])
|
| ︙ | ︙ |
Modified gen_dh_params from [d60a4dc243] to [c6f609976c].
| ︙ | ︙ | |||
33 34 35 36 37 38 39 |
fi
return 1
}
gen_dh_params_fallback() {
cat << \_EOF_
| | < | | 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
fi
return 1
}
gen_dh_params_fallback() {
cat << \_EOF_
DH *get_dh2048(void) {
static unsigned char dhp_2048[] = {
0xC1,0x51,0x58,0x69,0xFB,0xE8,0x6C,0x47,0x2B,0x86,0x61,0x4F,
0x20,0x2E,0xD3,0xFC,0x19,0xEE,0xB8,0xF3,0x35,0x7D,0xBA,0x86,
0x2A,0xC3,0xC8,0x6E,0xF4,0x99,0x75,0x65,0xD3,0x7A,0x9E,0xDF,
0xD4,0x1F,0x88,0xE3,0x17,0xFC,0xA1,0xED,0xA2,0xB6,0x77,0x84,
0xAA,0x08,0xF2,0x97,0x59,0x7A,0xA0,0x03,0x0D,0x3E,0x7E,0x6D,
0x65,0x6A,0xA4,0xEA,0x54,0xA9,0x52,0x5F,0x63,0xB4,0xBC,0x98,
0x4E,0xF6,0xE1,0xA4,0xEE,0x16,0x0A,0xB0,0x01,0xBD,0x9F,0xA1,
|
| ︙ | ︙ | |||
58 59 60 61 62 63 64 | 0xA9,0x4D,0xD5,0xFD,0xED,0xF2,0x6D,0x32,0x17,0x97,0x5B,0x06, 0x60,0x9C,0x5F,0xA3,0x5D,0x34,0x14,0x7E,0x63,0x54,0xE4,0x7E, 0x09,0x8F,0xBB,0x8E,0xA0,0xD0,0x96,0xAC,0x30,0x20,0x39,0x3B, 0x8C,0x92,0x65,0x37,0x0A,0x8F,0xEC,0x72,0x8B,0x61,0x7D,0x62, 0x24,0x54,0xE9,0x1D,0x01,0x68,0x89,0xC4,0x7B,0x3C,0x48,0x62, 0x9B,0x83,0x11,0x3A,0x0B,0x0D,0xEF,0x5A,0xE4,0x7A,0xA0,0x69, 0xF4,0x54,0xB5,0x5B, | | | | > | > | > > | > > | > > > | > > > > > > > | > > | | 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 |
0xA9,0x4D,0xD5,0xFD,0xED,0xF2,0x6D,0x32,0x17,0x97,0x5B,0x06,
0x60,0x9C,0x5F,0xA3,0x5D,0x34,0x14,0x7E,0x63,0x54,0xE4,0x7E,
0x09,0x8F,0xBB,0x8E,0xA0,0xD0,0x96,0xAC,0x30,0x20,0x39,0x3B,
0x8C,0x92,0x65,0x37,0x0A,0x8F,0xEC,0x72,0x8B,0x61,0x7D,0x62,
0x24,0x54,0xE9,0x1D,0x01,0x68,0x89,0xC4,0x7B,0x3C,0x48,0x62,
0x9B,0x83,0x11,0x3A,0x0B,0x0D,0xEF,0x5A,0xE4,0x7A,0xA0,0x69,
0xF4,0x54,0xB5,0x5B,
};
static unsigned char dhg_2048[] = {
0x02,
};
DH *dh = DH_new();;
BIGNUM *dhp_bn, *dhg_bn;
if (dh == NULL) {
return NULL;
}
dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
dh->p = dhp_bn;
dh->g = dhg_bn;
if (dhp_bn == NULL || dhg_bn == NULL) {
#else
if (dhp_bn == NULL || dhg_bn == NULL || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
#endif
DH_free(dh);
BN_free(dhp_bn);
BN_free(dhg_bn);
return(NULL);
}
return(dh);
}
_EOF_
}
# Enable support for giving the same DH params each time
if [ "$1" = 'fallback' ]; then
gen_dh_params_fallback && exit 0
|
| ︙ | ︙ |
Modified tls.c from [9b5d593b52] to [6dd111d1a2].
| ︙ | ︙ | |||
119 120 121 122 123 124 125 126 127 128 129 130 131 132 | #include <openssl/crypto.h> /* * Threaded operation requires locking callbacks * Based from /crypto/cryptlib.c of OpenSSL and NSOpenSSL. */ static Tcl_Mutex locks[CRYPTO_NUM_LOCKS]; static Tcl_Mutex init_mx; static void CryptoThreadLockCallback (int mode, int n, const char *file, int line); static unsigned long CryptoThreadIdCallback (void); static void | > > > | 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 | #include <openssl/crypto.h> /* * Threaded operation requires locking callbacks * Based from /crypto/cryptlib.c of OpenSSL and NSOpenSSL. */ #ifndef CRYPTO_NUM_LOCKS #define CRYPTO_NUM_LOCKS 128 #endif static Tcl_Mutex locks[CRYPTO_NUM_LOCKS]; static Tcl_Mutex init_mx; static void CryptoThreadLockCallback (int mode, int n, const char *file, int line); static unsigned long CryptoThreadIdCallback (void); static void |
| ︙ | ︙ | |||
260 261 262 263 264 265 266 |
*/
static int
VerifyCallback(int ok, X509_STORE_CTX *ctx)
{
Tcl_Obj *cmdPtr, *result;
char *errStr, *string;
int length;
| | | 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 |
*/
static int
VerifyCallback(int ok, X509_STORE_CTX *ctx)
{
Tcl_Obj *cmdPtr, *result;
char *errStr, *string;
int length;
SSL *ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
State *statePtr = (State*)SSL_get_app_data(ssl);
int depth = X509_STORE_CTX_get_error_depth(ctx);
int err = X509_STORE_CTX_get_error(ctx);
dprintf("Verify: %d", ok);
|
| ︙ | ︙ | |||
1742 1743 1744 1745 1746 1747 1748 |
*
*------------------------------------------------------*
*/
static int TlsLibInit (void) {
static int initialized = 0;
int i;
char rnd_seed[16] = "GrzSlplKqUdnnzP!"; /* 16 bytes */
| | | < < < < < < | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | > | 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 |
*
*------------------------------------------------------*
*/
static int TlsLibInit (void) {
static int initialized = 0;
int i;
char rnd_seed[16] = "GrzSlplKqUdnnzP!"; /* 16 bytes */
int status = TCL_OK;
if (initialized) {
return(status);
}
initialized = 1;
#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
size_t num_locks;
Tcl_MutexLock(&init_mx);
#endif
#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
/* should we consider allocating mutexes? */
num_locks = CRYPTO_num_locks();
if (num_locks > CRYPTO_NUM_LOCKS) {
status = TCL_ERROR;
goto done;
}
CRYPTO_set_locking_callback(CryptoThreadLockCallback);
CRYPTO_set_id_callback(CryptoThreadIdCallback);
#endif
if (SSL_library_init() != 1) {
status = TCL_ERROR;
goto done;
}
SSL_load_error_strings();
ERR_load_crypto_strings();
/*
* Seed the random number generator in the SSL library,
* using the do/while construct because of the bug note in the
* OpenSSL FAQ at http://www.openssl.org/support/faq.html#USER1
*
* The crux of the problem is that Solaris 7 does not have a
* /dev/random or /dev/urandom device so it cannot gather enough
* entropy from the RAND_seed() when TLS initializes and refuses
* to go further. Earlier versions of OpenSSL carried on regardless.
*/
srand((unsigned int) time((time_t *) NULL));
do {
for (i = 0; i < 16; i++) {
rnd_seed[i] = 1 + (char) (255.0 * rand()/(RAND_MAX+1.0));
}
RAND_seed(rnd_seed, sizeof(rnd_seed));
} while (RAND_status() != 1);
done:
#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
Tcl_MutexUnlock(&init_mx);
#endif
return status;
}
|
Modified tlsBIO.c from [540c0ab883] to [936355d12f].
| ︙ | ︙ | |||
19 20 21 22 23 24 25 |
BIO *
BIO_new_tcl(statePtr, flags)
State *statePtr;
int flags;
{
BIO *bio;
| | | > | | | | | | | < | > | | > | | | | 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
BIO *
BIO_new_tcl(statePtr, flags)
State *statePtr;
int flags;
{
BIO *bio;
static BIO_METHOD *BioMethods = NULL;
if (BioMethods == NULL) {
BioMethods = BIO_meth_new(BIO_TYPE_TCL, "tcl");
BIO_meth_set_write(BioMethods, BioWrite);
BIO_meth_set_read(BioMethods, BioRead);
BIO_meth_set_puts(BioMethods, BioPuts);
BIO_meth_set_ctrl(BioMethods, BioCtrl);
BIO_meth_set_create(BioMethods, BioNew);
BIO_meth_set_destroy(BioMethods, BioFree);
}
bio = BIO_new(BioMethods);
BIO_set_data(bio, statePtr);
BIO_set_init(bio, 1);
BIO_set_shutdown(bio, flags);
return bio;
}
static int
BioWrite (bio, buf, bufLen)
BIO *bio;
CONST char *buf;
int bufLen;
{
Tcl_Channel chan = Tls_GetParent((State*)BIO_get_data(bio));
int ret;
dprintf("BioWrite(%p, <buf>, %d) [%p]",
(void *) bio, bufLen, (void *) chan);
if (channelTypeVersion == TLS_CHANNEL_VERSION_2) {
ret = Tcl_WriteRaw(chan, buf, bufLen);
|
| ︙ | ︙ | |||
79 80 81 82 83 84 85 |
static int
BioRead (bio, buf, bufLen)
BIO *bio;
char *buf;
int bufLen;
{
| | | 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |
static int
BioRead (bio, buf, bufLen)
BIO *bio;
char *buf;
int bufLen;
{
Tcl_Channel chan = Tls_GetParent((State*)BIO_get_data(bio));
int ret = 0;
int tclEofChan;
dprintf("BioRead(%p, <buf>, %d) [%p]", (void *) bio, bufLen, (void *) chan);
if (buf == NULL) return 0;
|
| ︙ | ︙ | |||
135 136 137 138 139 140 141 |
static long
BioCtrl (bio, cmd, num, ptr)
BIO *bio;
int cmd;
long num;
void *ptr;
{
| | < | < < < | | < | < < < < < | < | | | | 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 |
static long
BioCtrl (bio, cmd, num, ptr)
BIO *bio;
int cmd;
long num;
void *ptr;
{
Tcl_Channel chan = Tls_GetParent((State*)BIO_get_data(bio));
long ret = 1;
dprintf("BioCtrl(%p, 0x%x, 0x%x, %p)",
(void *) bio, (unsigned int) cmd, (unsigned int) num,
(void *) ptr);
switch (cmd) {
case BIO_CTRL_RESET:
num = 0;
case BIO_C_FILE_SEEK:
case BIO_C_FILE_TELL:
ret = 0;
break;
case BIO_CTRL_INFO:
ret = 1;
break;
case BIO_C_SET_FD:
dprintf("Unsupported call: BIO_C_SET_FD");
ret = -1;
break;
case BIO_C_GET_FD:
dprintf("Unsupported call: BIO_C_GET_FD");
ret = -1;
break;
case BIO_CTRL_GET_CLOSE:
ret = BIO_get_shutdown(bio);
break;
case BIO_CTRL_SET_CLOSE:
BIO_set_shutdown(bio, num);
break;
case BIO_CTRL_EOF:
dprintf("BIO_CTRL_EOF");
ret = Tcl_Eof(chan);
break;
case BIO_CTRL_PENDING:
ret = (Tcl_InputBuffered(chan) ? 1 : 0);
|
| ︙ | ︙ | |||
209 210 211 212 213 214 215 |
return(ret);
}
static int
BioNew (bio)
BIO *bio;
{
| | < | | | < | | | < | 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 |
return(ret);
}
static int
BioNew (bio)
BIO *bio;
{
BIO_set_init(bio, 0);
BIO_set_data(bio, NULL);
BIO_clear_flags(bio, -1);
return 1;
}
static int
BioFree (bio)
BIO *bio;
{
if (bio == NULL) {
return 0;
}
if (BIO_get_shutdown(bio)) {
if (BIO_get_init(bio)) {
/*shutdown(bio->num, 2) */
/*closesocket(bio->num) */
}
BIO_set_init(bio, 0);
BIO_clear_flags(bio, -1);
}
return 1;
}
|
Modified tlsInt.h from [65f97677c5] to [c265b67309].
| ︙ | ︙ | |||
257 258 259 260 261 262 263 264 265 | void Tls_Error _ANSI_ARGS_ ((State *statePtr, char *msg)); void Tls_Free _ANSI_ARGS_ ((char *blockPtr)); void Tls_Clean _ANSI_ARGS_ ((State *statePtr)); int Tls_WaitForConnect _ANSI_ARGS_(( State *statePtr, int *errorCodePtr)); BIO * BIO_new_tcl _ANSI_ARGS_((State* statePtr, int flags)); #endif /* _TLSINT_H */ | > > > > > > > > > > > > > > > > > > > > > | 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 |
void Tls_Error _ANSI_ARGS_ ((State *statePtr, char *msg));
void Tls_Free _ANSI_ARGS_ ((char *blockPtr));
void Tls_Clean _ANSI_ARGS_ ((State *statePtr));
int Tls_WaitForConnect _ANSI_ARGS_(( State *statePtr,
int *errorCodePtr));
BIO * BIO_new_tcl _ANSI_ARGS_((State* statePtr, int flags));
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#define BIO_get_data(bio) ((bio)->ptr)
#define BIO_get_init(bio) ((bio)->init)
#define BIO_get_shutdown(bio) ((bio)->shutdown)
#define BIO_set_data(bio, val) (bio)->ptr = (val)
#define BIO_set_init(bio, val) (bio)->init = (val)
#define BIO_set_shutdown(bio, val) (bio)->shutdown = (val)
/* XXX: This assumes the variable being assigned to is BioMethods */
#define BIO_meth_new(type_, name_) (BIO_METHOD *)Tcl_Alloc(sizeof(BIO_METHOD)); \
memset(BioMethods, 0, sizeof(BIO_METHOD)); \
BioMethods->type = type_; \
BioMethods->name = name_;
#define BIO_meth_set_write(bio, val) (bio)->bwrite = val;
#define BIO_meth_set_read(bio, val) (bio)->bread = val;
#define BIO_meth_set_puts(bio, val) (bio)->bputs = val;
#define BIO_meth_set_ctrl(bio, val) (bio)->ctrl = val;
#define BIO_meth_set_create(bio, val) (bio)->create = val;
#define BIO_meth_set_destroy(bio, val) (bio)->destroy = val;
#endif
#endif /* _TLSINT_H */
|
Modified tlsX509.c from [a24085972c] to [9fff18dbef].
| ︙ | ︙ | |||
97 98 99 100 101 102 103 |
char issuer[BUFSIZ];
char serial[BUFSIZ];
char notBefore[BUFSIZ];
char notAfter[BUFSIZ];
char certStr[BUFSIZ];
#ifndef NO_SSL_SHA
int shai;
| | > > > | 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 |
char issuer[BUFSIZ];
char serial[BUFSIZ];
char notBefore[BUFSIZ];
char notAfter[BUFSIZ];
char certStr[BUFSIZ];
#ifndef NO_SSL_SHA
int shai;
char sha_hash_ascii[SHA_DIGEST_LENGTH * 2 + 1];
unsigned char sha_hash_binary[SHA_DIGEST_LENGTH];
const char *shachars="0123456789ABCDEF";
sha_hash_ascii[SHA_DIGEST_LENGTH * 2] = '\0';
#endif
certStr[0] = 0;
if ((bio = BIO_new(BIO_s_mem())) == NULL) {
subject[0] = 0;
issuer[0] = 0;
serial[0] = 0;
|
| ︙ | ︙ | |||
142 143 144 145 146 147 148 |
BIO_free(bio);
}
strcpy( notBefore, ASN1_UTCTIME_tostr( X509_get_notBefore(cert) ));
strcpy( notAfter, ASN1_UTCTIME_tostr( X509_get_notAfter(cert) ));
#ifndef NO_SSL_SHA
| > | < | | | < | < | 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 |
BIO_free(bio);
}
strcpy( notBefore, ASN1_UTCTIME_tostr( X509_get_notBefore(cert) ));
strcpy( notAfter, ASN1_UTCTIME_tostr( X509_get_notAfter(cert) ));
#ifndef NO_SSL_SHA
X509_digest(cert, EVP_sha1(), sha_hash_binary, NULL);
for (shai = 0; shai < SHA_DIGEST_LENGTH; shai++) {
sha_hash_ascii[shai * 2] = shachars[(sha_hash_binary[shai] & 0xF0) >> 4];
sha_hash_ascii[shai * 2 + 1] = shachars[(sha_hash_binary[shai] & 0x0F)];
}
Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj("sha1_hash", -1) );
Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj(sha_hash_ascii, SHA_DIGEST_LENGTH * 2) );
#endif
Tcl_ListObjAppendElement( interp, certPtr,
Tcl_NewStringObj( "subject", -1) );
Tcl_ListObjAppendElement( interp, certPtr,
Tcl_NewStringObj( subject, -1) );
|
| ︙ | ︙ |