TclTLS: Check-in [2568fd9c5d]

Overview

Comment:	Formatting (taken over from bohagan)
Downloads:	Tarball \| ZIP archive \| SQL archive
Timelines:	family \| ancestors \| descendants \| both \| bohagan
Files:	files \| file ages \| folders
SHA3-256:	2568fd9c5d2366410e31280dde2eb02ba407410ef8065ee5870df1e25cd733aa
User & Date:	jan.nijtmans on 2024-03-05 14:37:03
Other Links:	branch diff \| manifest \| tags

Context

2024-03-12
14:30		Merge trunk check-in: c005e3d09b user: jan.nijtmans tags: bohagan
2024-03-05
14:37		Formatting (taken over from bohagan) check-in: 2568fd9c5d user: jan.nijtmans tags: bohagan
13:57		Merge trunk check-in: b2b78ae91b user: jan.nijtmans tags: bohagan

Changes

Modified generic/tls.c from [be27cdc273] to [e096bf5253].

Modified generic/tlsBIO.c from [26205b6a4d] to [b20b460cd0].

Modified generic/tlsIO.c from [54acfa5baa] to [48c0fc9f8a].

︙
31 32 33 34 35 36 37 ~~38 39 40~~ 41 42 43 44 45 46 47	31 32 33 34 35 36 37 38 39 40 41 42 43 44	- - -	#include <openssl/safestack.h> /* Min OpenSSL version / #if OPENSSL_VERSION_NUMBER < 0x10101000L #error "Only OpenSSL v1.1.1 or later is supported" #endif ~~/ * External functions /~~ / * Forward declarations / #define F2N(key, dsp) \ (((key) == NULL) ? (char )NULL : \
︙
330 331 332 333 334 335 336 ~~337~~ 338 339 340 341 342 343 344	327 328 329 330 331 332 333 334 335 336 337 338 339 340 341	- +	* * Monitors SSL certificate validation process. Used to control the * behavior when the SSL_VERIFY_PEER flag is set. This is called * whenever a certificate is inspected or decided invalid. Called for * each certificate in the cert chain. * * Checks: * certificate chain is checked starting with the deepest nesting level * The certificate chain is checked starting with the deepest nesting level * (the root CA certificate) and worked upward to the peer's certificate. * All signatures are valid, current time is within first and last validity time. * Check that the certificate is issued by the issuer certificate issuer. * Check the revocation status for each certificate. * Check the validity of the given CRL and the cert revocation status. * Check the policies of all the certificates *
︙
402 403 404 405 406 407 408 ~~409~~ 410 411 412 413 414 415 416 ~~417~~ 418 419 420 421 422 423 424	399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421	- + - +	Tcl_IncrRefCount(cmdPtr); ok = EvalCallback(interp, statePtr, cmdPtr); Tcl_DecrRefCount(cmdPtr); dprintf("VerifyCallback: command result = %d", ok); /* statePtr->flags &= ~(TLS_TCL_CALLBACK); / ~~return~~(ok)~~; / By default, leave verification unchanged. /~~ return ok; / By default, leave verification unchanged. / } / ------------------------------------------------------------------- * Tls_Error -- * * Calls callback with ~~list of~~ errors. * Calls callback with error message. * * Side effects: * The err field of the currently operative State is set * to a string describing the SSL negotiation failure reason * ------------------------------------------------------------------- /
︙
485 486 487 488 489 490 491 ~~492 493 494~~ 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 ~~519 520 521~~ 522 523 524 525 526 527 528	482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530	- - - + + + + - - - + + + + + + +	} /* ------------------------------------------------------------------- * Password Callback -- * * Called when a password for a private key loading~~/storing a PEM~~ * certificate with encryption. Evals callback ~~script and returns~~ * the result as the password string in buf. * Called when a password is needed for a private key when loading * or storing a PEM certificate with encryption. Evals callback * script and returns the result as the password string in buf. * * Results: * None * * Side effects: * Calls callback (if defined) * * Returns: * Password size in bytes or -1 for an error. * ------------------------------------------------------------------- / static int PasswordCallback(char buf, int size, int rwflag, void udata) { State statePtr = (State ) udata; Tcl_Interp interp = statePtr->interp; Tcl_Obj cmdPtr; int code; Tcl_Size len; dprintf("Called"); /* If no callback, use default callback / if (statePtr->password == NULL) { if (Tcl_EvalEx(interp, "tls::password", -1, TCL_EVAL_GLOBAL) == TCL_OK) { ~~char ret = (char ) Tcl_GetStringResult(interp); strncpy(buf, ret, (size_t) ~~size~~); return (int)~~strlen(ret)~~;~~ char ret = (char ) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); if (len > (Tcl_Size) size-1) { len = (Tcl_Size) size-1; } strncpy(buf, ret, (size_t) len); buf[len] = '\0'; return (int) len; } else { return -1; } } / Create command to eval with fn, rwflag, and size args */ cmdPtr = Tcl_DuplicateObj(statePtr->password);
︙
545 546 547 548 549 550 551 ~~552~~ 553 554 555 556 557 558 559 ~~560~~ 561 562 563 564 565 566 567	547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568	- - +	} Tcl_DecrRefCount(cmdPtr); Tcl_Release((void ) statePtr); / If successful, pass back password string and truncate if too long / if (code == TCL_OK) { ~~Tcl_Size len;~~ char ret = (char ) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); if (len > (Tcl_Size) size-1) { len = (Tcl_Size) size-1; } strncpy(buf, ret, (size_t) len); buf[len] = '\0'; Tcl_Release((void ) interp); ~~return((int) len);~~ return (int) len; } Tcl_Release((void ) interp); return -1; } / *-------------------------------------------------------------------
︙
621 622 623 624 625 626 627 628 629 630 631 632 633 634	622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637	+ +	Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewLongObj((long) SSL_SESSION_get_ticket_lifetime_hint(session))); /* Eval callback command / Tcl_IncrRefCount(cmdPtr); EvalCallback(interp, statePtr, cmdPtr); Tcl_DecrRefCount(cmdPtr); / Return 0 for now until session handling is complete / return 0; } / ------------------------------------------------------------------- * ALPN Callback for Servers and NPN Callback for Clients --
︙
913 914 915 916 917 918 919 920 921 922 923 924 925 926	916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933	+ + + +	res = SSL_CLIENT_HELLO_ERROR; alert = SSL_R_TLSV1_ALERT_INTERNAL_ERROR; } Tcl_DecrRefCount(cmdPtr); return res; } /******************/ / Commands / /******************/ / ------------------------------------------------------------------- * CiphersObjCmd -- list available ciphers * * This procedure is invoked to process the "tls::ciphers" command * to list available ciphers, based upon protocol selected.
︙
1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029	1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038	+ +	SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION); break; #endif default: method = TLS_method(); break; } ctx = SSL_CTX_new(method); if (ctx == NULL) { Tcl_AppendResult(interp, GET_ERR_REASON(), (char )NULL); return TCL_ERROR; } ssl = SSL_new(ctx); if (ssl == NULL) { Tcl_AppendResult(interp, GET_ERR_REASON(), (char )NULL); SSL_CTX_free(ctx); return TCL_ERROR; }
︙
1155 1156 1157 1158 1159 1160 1161 ~~1162~~ 1163 1164 1165 1166 1167 1168 ~~1169~~ 1170 1171 1172 1173 1174 1175 1176 1177 ~~1178~~ 1179 1180 1181 1182 1183 1184 1185	1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194	- + - + - +	int ret = 1; int err = 0; dprintf("Called"); if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); ~~return(TCL_ERROR);~~ return TCL_ERROR; } ERR_clear_error(); chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL); if (chan == (Tcl_Channel) NULL) { ~~return(TCL_ERROR);~~ return TCL_ERROR; } /* Make sure to operate on the topmost channel / chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), "\": not a TLS channel", (char )NULL); Tcl_SetErrorCode(interp, "TLS", "HANDSHAKE", "CHANNEL", "INVALID", (char )NULL); ~~return(TCL_ERROR);~~ return TCL_ERROR; } statePtr = (State )Tcl_GetChannelInstanceData(chan); dprintf("Calling Tls_WaitForConnect"); ret = Tls_WaitForConnect(statePtr, &err, 1); dprintf("Tls_WaitForConnect returned: %i", ret);
︙
1198 1199 1200 1201 1202 1203 1204 ~~1205~~ 1206 1207 1208 1209 1210 1211 1212 1213 1214 ~~1215~~ 1216 1217 1218 1219 1220 1221 1222	1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231	- + - +	Tcl_AppendResult(interp, "handshake failed: ", errStr, (char )NULL); if ((result = SSL_get_verify_result(statePtr->ssl)) != X509_V_OK) { Tcl_AppendResult(interp, " due to \"", X509_verify_cert_error_string(result), "\"", (char )NULL); } Tcl_SetErrorCode(interp, "TLS", "HANDSHAKE", "FAILED", (char )NULL); dprintf("Returning TCL_ERROR with handshake failed: %s", errStr); ~~return(TCL_ERROR);~~ return TCL_ERROR; } else { if (err != 0) { dprintf("Got an error with a completed handshake: err = %i", err); } ret = 1; } dprintf("Returning TCL_OK with data \"%i\"", ret); Tcl_SetObjResult(interp, Tcl_NewIntObj(ret)); ~~return(TCL_OK);~~ return TCL_OK; } / ------------------------------------------------------------------- * ImportObjCmd -- *
︙
1294 1295 1296 1297 1298 1299 1300 ~~1301 1302~~ ~~1303~~ 1304 1305 1306 1307 1308 1309 1310	1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317	- - + -	ERR_clear_error(); chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL); if (chan == (Tcl_Channel) NULL) { return TCL_ERROR; } ~~/* * Make sure to operate on the topmost channel~~ /* Make sure to operate on the topmost channel / / chan = Tcl_GetTopChannel(chan); for (idx = 2; idx < objc; idx++) { char *opt = Tcl_GetString(objv[idx]); if (opt[0] != '-') break;
︙
1468 1469 1470 1471 1472 1473 1474 ~~1475~~ 1476 1477 1478 1479 1480 1481 1482	1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488	-	Tcl_DStringFree(&upperChannelEncoding); Tcl_DStringFree(&upperChannelEOFChar); Tcl_DStringFree(&upperChannelBlocking); /* * SSL Initialization / statePtr->ssl = SSL_new(statePtr->ctx); if (!statePtr->ssl) { / SSL library error / Tcl_AppendResult(interp, "couldn't construct ssl session: ", GET_ERR_REASON(), (char )NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "INIT", "FAILED", (char )NULL); Tls_Free((void )statePtr); return TCL_ERROR;
︙
1549 1550 1551 1552 1553 1554 1555 ~~1556~~ 1557 1558 1559 1560 1561 1562 1563	1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569	- +	char str = Tcl_GetStringFromObj(list[j], &len); p++ = (unsigned char) len; memcpy(p, str, (size_t) len); p += len; } /* SSL_set_alpn_protos makes a copy of the protocol-list / ~~/ Note: This functions reverses the return value convention /~~ / Note: This function reverses the return value convention / if (SSL_set_alpn_protos(statePtr->ssl, protos, protos_len)) { Tcl_AppendResult(interp, "Set ALPN protocols failed: ", GET_ERR_REASON(), (char )NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char )NULL); Tls_Free((void )statePtr); ckfree(protos); return TCL_ERROR; }
︙
1680 1681 1682 1683 1684 1685 1686 ~~1687 1688~~ ~~1689~~ 1690 1691 1692 1693 1694 1695 1696	1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700	- - + -	} chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL); if (chan == (Tcl_Channel) NULL) { return TCL_ERROR; } ~~/* * Make sure to operate on the topmost channel~~ /* Make sure to operate on the topmost channel / / chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), "\": not a TLS channel", (char )NULL); Tcl_SetErrorCode(interp, "TLS", "UNIMPORT", "CHANNEL", "INVALID", (char )NULL); return TCL_ERROR;
︙
1754 1755 1756 1757 1758 1759 1760 ~~1761~~ 1762 1763 1764 1765 1766 ~~1767~~ 1768 1769 1770 1771 1772 ~~1773~~ 1774 1775 1776 1777 1778 ~~1779~~ 1780 1781 1782 1783 1784 1785 1786	1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790	- + - + - + - +	Tcl_AppendResult(interp, "SSL2 protocol not supported", (char )NULL); return NULL; } if (ENABLED(proto, TLS_PROTO_SSL3)) { Tcl_AppendResult(interp, "SSL3 protocol not supported", (char )NULL); return NULL; } ~~#if defined(NO_TLS1) \|\| defined(OPENSSL_NO_TLS1) ~~\|\| defined(OPENSSL_NO_TLS1_METHOD)~~~~ #if defined(NO_TLS1) \|\| defined(OPENSSL_NO_TLS1) if (ENABLED(proto, TLS_PROTO_TLS1)) { Tcl_AppendResult(interp, "TLS 1.0 protocol not supported", (char )NULL); return NULL; } #endif ~~#if defined(NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1) ~~\|\| defined(OPENSSL_NO_TLS1_1_METHOD)~~~~ #if defined(NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1) if (ENABLED(proto, TLS_PROTO_TLS1_1)) { Tcl_AppendResult(interp, "TLS 1.1 protocol not supported", (char )NULL); return NULL; } #endif ~~#if defined(NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2) ~~\|\| defined(OPENSSL_NO_TLS1_2_METHOD)~~~~ #if defined(NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2) if (ENABLED(proto, TLS_PROTO_TLS1_2)) { Tcl_AppendResult(interp, "TLS 1.2 protocol not supported", (char )NULL); return NULL; } #endif ~~#if defined(NO_TLS1_3) \|\| defined(OPENSSL_NO_TLS1_3) ~~\|\| defined(OPENSSL_NO_TLS1_3_METHOD)~~~~ #if defined(NO_TLS1_3) \|\| defined(OPENSSL_NO_TLS1_3) if (ENABLED(proto, TLS_PROTO_TLS1_3)) { Tcl_AppendResult(interp, "TLS 1.3 protocol not supported", (char )NULL); return NULL; } #endif if (proto == 0) { /* Use full range */
︙
1800 1801 1802 1803 1804 1805 1806 ~~1807~~ 1808 1809 1810 1811 1812 1813 1814 1815 ~~1816~~ 1817 1818 ~~1819~~ 1820 1821 ~~1822~~ 1823 1824 ~~1825~~ 1826 1827 1828 1829 1830 1831 1832 1833 1834 ~~1835~~ 1836 1837 1838 1839 1840 1841 1842	1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846	- + - + - + - + - + - +	break; #endif #if !defined(NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2_METHOD) case TLS_PROTO_TLS1_2: method = isServer ? TLSv1_2_server_method() : TLSv1_2_client_method(); break; #endif ~~#if !defined(NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_3) ~~&& !defined(OPENSSL_NO_TLS1_3_METHOD)~~~~ #if !defined(NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_3) case TLS_PROTO_TLS1_3: /* Use the generic method and constraint range after context is created / method = isServer ? TLS_server_method() : TLS_client_method(); break; #endif default: / Negotiate highest available SSL/TLS version */ method = isServer ? TLS_server_method() : TLS_client_method(); ~~#if !defined(NO_TLS1) && !defined(OPENSSL_NO_TLS1) ~~&& !defined(OPENSSL_NO_TLS1_METHOD)~~~~ #if !defined(NO_TLS1) && !defined(OPENSSL_NO_TLS1) off \|= (ENABLED(proto, TLS_PROTO_TLS1) ? 0 : SSL_OP_NO_TLSv1); #endif ~~#if !defined(NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1) ~~&& !defined(OPENSSL_NO_TLS1_1_METHOD)~~~~ #if !defined(NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1) off \|= (ENABLED(proto, TLS_PROTO_TLS1_1) ? 0 : SSL_OP_NO_TLSv1_1); #endif ~~#if !defined(NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2) ~~&& !defined(OPENSSL_NO_TLS1_2_METHOD)~~~~ #if !defined(NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2) off \|= (ENABLED(proto, TLS_PROTO_TLS1_2) ? 0 : SSL_OP_NO_TLSv1_2); #endif ~~#if !defined(NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_3) ~~&& !defined(OPENSSL_NO_TLS1_3_METHOD)~~~~ #if !defined(NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_3) off \|= (ENABLED(proto, TLS_PROTO_TLS1_3) ? 0 : SSL_OP_NO_TLSv1_3); #endif break; } ERR_clear_error(); ctx = SSL_CTX_new(method); if (!ctx) { ~~return~~(NULL)~~;~~ return NULL; } if (getenv(SSLKEYLOGFILE)) { SSL_CTX_set_keylog_callback(ctx, KeyLogCallback); } #if !defined(NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_3)
︙
1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900	1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906	+ +	} /* set some callbacks / SSL_CTX_set_default_passwd_cb(ctx, PasswordCallback); SSL_CTX_set_default_passwd_cb_userdata(ctx, (void )statePtr); /* read a Diffie-Hellman parameters file, or use the built-in one / Tcl_DStringInit(&ds); #ifdef OPENSSL_NO_DH if (DHparams != NULL) { Tcl_AppendResult(interp, "DH parameter support not available", (char )NULL); SSL_CTX_free(ctx); return NULL; } #else { DH* dh; if (DHparams != NULL) { BIO bio; bio = BIO_new_file(F2N(DHparams, &ds), "r"); if (!bio) { Tcl_DStringFree(&ds); Tcl_AppendResult(interp, "Could not find DH parameters file", (char )NULL); SSL_CTX_free(ctx); return NULL; }
︙
1985 1986 1987 1988 1989 1990 1991 ~~1992 1993 1994~~ 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018	1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025	- - - + + + +	SSL_CTX_free(ctx); return NULL; } } /* Now we know that a key and cert have been set against * the SSL context / if (!SSL_CTX_check_private_key(ctx)) { ~~~~Tcl_AppendResult(interp,~~ "private key does not match the certificate public key", (char )NULL);~~ Tcl_AppendResult(interp, "private key does not match the certificate public key", (char )NULL); SSL_CTX_free(ctx); return NULL; } } / Set to use default location and file for Certificate Authority (CA) certificates. The * verify path and store can be overridden by the SSL_CERT_DIR env var. The verify file can * be overridden by the SSL_CERT_FILE env var. / if (!SSL_CTX_set_default_verify_paths(ctx)) { abort++; } / Overrides for the CA verify path and file / { #if OPENSSL_VERSION_NUMBER < 0x30000000L if (CApath != NULL \|\| CAfile != NULL) { Tcl_DString ds1; Tcl_DStringInit(&ds1); if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CApath, &ds1))) { abort++; } Tcl_DStringFree(&ds); Tcl_DStringFree(&ds1); / Set list of CAs to send to client when requesting a client certificate */
︙
2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 ~~2096 2097~~ ~~2098~~ 2099 2100 2101 2102 2103 2104 2105	2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112	+ - - + + -	dprintf("Called"); if (objc < 2 \|\| objc > 3 \|\| (objc == 3 && !strcmp(Tcl_GetString(objv[1]), "-local"))) { Tcl_WrongNumArgs(interp, 1, objv, "?-local? channel"); return TCL_ERROR; } /* Get channel Id / channelName = Tcl_GetString(objv[(objc == 2 ? 1 : 2)]); chan = Tcl_GetChannel(interp, channelName, &mode); if (chan == (Tcl_Channel) NULL) { return TCL_ERROR; } ~~/ * Make sure to operate on the topmost channel~~ /* Make sure to operate on the topmost channel / / chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), "\": not a TLS channel", (char )NULL); Tcl_SetErrorCode(interp, "TLS", "STATUS", "CHANNEL", "INVALID", (char )NULL); return TCL_ERROR; }
︙
2206 2207 2208 2209 2210 2211 2212 ~~2213~~ 2214 2215 2216 2217 ~~2218~~ 2219 2220 2221 2222 2223 2224 ~~2225~~ 2226 ~~2227~~ 2228 2229 2230 2231 2232 2233 2234	2213 2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241	- + - + - + - +	const SSL ssl; const SSL_CIPHER cipher; const SSL_SESSION session; const EVP_MD md; if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); ~~return(TCL_ERROR);~~ return TCL_ERROR; } chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL); if (chan == (Tcl_Channel) NULL) { ~~return(TCL_ERROR);~~ return TCL_ERROR; } /* Make sure to operate on the topmost channel / chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), ~~"\": not a TLS channel", NULL);~~ "\": not a TLS channel", (char )NULL); Tcl_SetErrorCode(interp, "TLS", "CONNECTION", "CHANNEL", "INVALID", (char )NULL); ~~return(TCL_ERROR);~~ return TCL_ERROR; } objPtr = Tcl_NewListObj(0, NULL); / Connection info / statePtr = (State )Tcl_GetChannelInstanceData(chan); ssl = statePtr->ssl;
︙
2480 2481 2482 2483 2484 2485 2486 ~~2487~~ ~~2488~~ 2489 2490 2491 2492 2493 2494 2495	2487 2488 2489 2490 2491 2492 2493 2494 2495 2496 2497 2498 2499 2500 2501	- + -	dprintf("Called"); if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "subcommand ?args?"); return TCL_ERROR; } ~~if (Tcl_GetIndexFromObj(interp, objv[1], commands,~~ if (Tcl_GetIndexFromObj(interp, objv[1], commands, "command", 0, &cmd) != TCL_OK) { ~~"command", 0,&cmd) != TCL_OK) {~~ return TCL_ERROR; } ERR_clear_error(); isStr = (cmd == C_STRREQ); switch ((enum command) cmd) {
︙
2606 2607 2608 2609 2610 2611 2612 ~~2613~~ 2614 2615 2616 2617 2618 2619 2620 2621 2622 2623 ~~2624 2625 2626 2627 2628 2629 2630~~ 2631 2632 2633 2634 2635 2636 2637	2612 2613 2614 2615 2616 2617 2618 2619 2620 2621 2622 2623 2624 2625 2626 2627 2628 2629 2630 2631 2632 2633 2634 2635 2636 2637 2638 2639 2640 2641 2642 2643	- + - - - - - - - + + + + + + +	if ((cert=X509_new())==NULL) { Tcl_SetResult(interp,"Error generating certificate request",NULL); EVP_PKEY_free(pkey); #if OPENSSL_VERSION_NUMBER < 0x30000000L BN_free(bne); #endif ~~return(TCL_ERROR);~~ return TCL_ERROR; } X509_set_version(cert,2); ASN1_INTEGER_set(X509_get_serialNumber(cert),serial); X509_gmtime_adj(X509_getm_notBefore(cert),0); X509_gmtime_adj(X509_getm_notAfter(cert),(long)606024days); X509_set_pubkey(cert,pkey); name=X509_get_subject_name(cert); X509_NAME_add_entry_by_txt(name,"C", MBSTRING_ASC, (unsigned char ) k_C, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"ST", MBSTRING_ASC, (unsigned char ) k_ST, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"L", MBSTRING_ASC, (unsigned char ) k_L, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"O", MBSTRING_ASC, (unsigned char ) k_O, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"OU", MBSTRING_ASC, (unsigned char ) k_OU, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"CN", MBSTRING_ASC, (unsigned char ) k_CN, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"Email", MBSTRING_ASC, (unsigned char ) k_Email, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"C", MBSTRING_ASC, (const unsigned char ) k_C, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"ST", MBSTRING_ASC, (const unsigned char ) k_ST, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"L", MBSTRING_ASC, (const unsigned char ) k_L, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"O", MBSTRING_ASC, (const unsigned char ) k_O, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"OU", MBSTRING_ASC, (const unsigned char ) k_OU, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"CN", MBSTRING_ASC, (const unsigned char ) k_CN, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"Email", MBSTRING_ASC, (const unsigned char *) k_Email, -1, -1, 0); X509_set_subject_name(cert,name); if (!X509_sign(cert,pkey,EVP_sha256())) { X509_free(cert); EVP_PKEY_free(pkey); #if OPENSSL_VERSION_NUMBER < 0x30000000L
︙
2905 2906 2907 2908 2909 2910 2911 ~~2912~~ 2913 2914 2915 2916 2917 2918 2919	2911 2912 2913 2914 2915 2916 2917 2918 2919 2920 2921 2922 2923 2924 2925	- +	* A standard Tcl error code. * ------------------------------------------------------ / DLLEXPORT int Tls_SafeInit(Tcl_Interp interp) { dprintf("Called"); ~~return(Tls_Init(interp));~~ return Tls_Init(interp); } /* ------------------------------------------------------ * * TlsLibInit -- *
︙
2936 2937 2938 2939 2940 2941 2942 ~~2943~~ 2944 2945 2946 2947 2948 2949 2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 ~~2963~~ 2964 2965 2966 2967 ~~2968~~ 2969 2970 2971 2972 2973 2974 2975	2942 2943 2944 2945 2946 2947 2948 2949 2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 2963 2964 2965 2966 2967 2968 2969 2970 2971 2972 2973 2974 2975 2976 2977 2978 2979 2980 2981	- + - + - +	size_t num_locks; #endif if (uninitialize) { if (!initialized) { dprintf("Asked to uninitialize, but we are not initialized"); ~~return(TCL_OK);~~ return TCL_OK; } dprintf("Asked to uninitialize"); #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) Tcl_MutexLock(&init_mx); if (locks) { free(locks); locks = NULL; locksCount = 0; } #endif initialized = 0; #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) Tcl_MutexUnlock(&init_mx); #endif ~~return(TCL_OK);~~ return TCL_OK; } if (initialized) { dprintf("Called, but using cached value"); ~~return(status);~~ return status; } dprintf("Called"); #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) Tcl_MutexLock(&init_mx); #endif
︙
2988 2989 2990 2991 2992 2993 2994 ~~2995~~ 2996	2994 2995 2996 2997 2998 2999 3000 3001 3002	- +	BIO_new_tcl(NULL, 0); #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) Tcl_MutexUnlock(&init_mx); #endif ~~return(status);~~ return status; }

︙
23 24 25 26 27 28 29 30 31 32 33 34 35 36	23 24 25 26 27 28 29 30 31 32 33 34 35 36 37	+	#define BIO_meth_set_read(bio, val) (bio)->bread = val; #define BIO_meth_set_puts(bio, val) (bio)->bputs = val; #define BIO_meth_set_ctrl(bio, val) (bio)->ctrl = val; #define BIO_meth_set_create(bio, val) (bio)->create = val; #define BIO_meth_set_destroy(bio, val) (bio)->destroy = val; #endif /* Called by SSL_write() / static int BioWrite(BIO bio, const char buf, int bufLen) { Tcl_Channel chan; Tcl_Size ret; int tclEofChan, tclErrno; chan = Tls_GetParent((State ) BIO_get_data(bio), 0);
︙
46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71	47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75	+ + +	BIO_clear_flags(bio, BIO_FLAGS_WRITE \| BIO_FLAGS_SHOULD_RETRY); if (tclEofChan && ret <= 0) { dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF"); Tcl_SetErrno(ECONNRESET); ret = 0; } else if (ret == 0) { dprintf("Got 0 from Tcl_WriteRaw, and EOF is not set; ret = 0"); dprintf("Setting retry read flag"); BIO_set_retry_read(bio); } else if (ret < 0) { dprintf("We got some kind of I/O error"); if (tclErrno == EAGAIN) { dprintf("It's EAGAIN"); } else { dprintf("It's an unexpected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno); } } else { dprintf("Successfully wrote %" TCL_SIZE_MODIFIER "d bytes of data", ret); } if (ret != -1 \|\| (ret == -1 && tclErrno == EAGAIN)) { if (BIO_should_read(bio)) { dprintf("Setting should retry read flag");
︙
100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125	104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132	+ + +	BIO_clear_flags(bio, BIO_FLAGS_READ \| BIO_FLAGS_SHOULD_RETRY); if (tclEofChan && ret <= 0) { dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF"); Tcl_SetErrno(ECONNRESET); ret = 0; } else if (ret == 0) { dprintf("Got 0 from Tcl_Read or Tcl_ReadRaw, and EOF is not set; ret = 0"); dprintf("Setting retry read flag"); BIO_set_retry_read(bio); } else if (ret < 0) { dprintf("We got some kind of I/O error"); if (tclErrno == EAGAIN) { dprintf("It's EAGAIN"); } else { dprintf("It's an unexpected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno); } } else { dprintf("Successfully read %" TCL_SIZE_MODIFIER "d bytes of data", ret); } if (ret != -1 \|\| (ret == -1 && tclErrno == EAGAIN)) { if (BIO_should_write(bio)) { dprintf("Setting should retry write flag");
︙
236 237 238 239 240 241 242 ~~243~~ 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 ~~260~~ 261 262 263 264 265 266 267	243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274	- + - +	case BIO_CTRL_GET_KTLS_RECV: dprintf("Got BIO_CTRL_GET_KTLS_RECV"); ret = 0; break; #endif default: dprintf("Got unknown control command (%i)", cmd); ~~ret = -2;~~ ret = 0; break; } return ret; } static int BioNew(BIO bio) { dprintf("BioNew(%p) called", bio); BIO_set_init(bio, 0); BIO_set_data(bio, NULL); BIO_clear_flags(bio, -1); return 1; } static int BioFree(BIO bio) { if (bio == NULL) { ~~return~~(0)~~;~~ return 0; } dprintf("BioFree(%p) called", bio); if (BIO_get_shutdown(bio)) { if (BIO_get_init(bio)) { /shutdown(bio->num, 2) /
︙
300 301 302 303 304 305 306 ~~307~~ 308 309 310 311 312 313 314	307 308 309 310 311 312 313 314 315 316 317 318 319 320 321	- +	BIO_meth_set_create(BioMethods, BioNew); BIO_meth_set_destroy(BioMethods, BioFree); } if (statePtr == NULL) { dprintf("Asked to setup a NULL state, just creating the initial configuration"); ~~return~~(NULL)~~;~~ return NULL; } #ifdef TCLTLS_SSL_USE_FASTPATH /* * If the channel can be mapped back to a file descriptor, just use the file descriptor * with the SSL library since it will likely be optimized for this. */
︙
331 332 333 334 335 336 337 ~~338~~ 339 340 341 342 343 344 345 346 347 ~~348~~ 349	338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356	- + - +	} } if (validParentChannelFd) { dprintf("We found a shortcut, this channel is backed by a socket: %i", parentChannelFdIn); bio = BIO_new_socket(parentChannelFd, flags); statePtr->flags \|= TLS_TCL_FASTPATH; ~~return~~(bio)~~;~~ return bio; } dprintf("Falling back to Tcl I/O for this channel"); #endif bio = BIO_new(BioMethods); BIO_set_data(bio, statePtr); BIO_set_shutdown(bio, flags); BIO_set_init(bio, 1); ~~return~~(bio)~~;~~ return bio; }

︙
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58	44 45 46 47 48 49 50 51 52 53 54 55 56 57 58	- +	State statePtr = (State )instanceData; if (mode == TCL_MODE_NONBLOCKING) { statePtr->flags \|= TLS_TCL_ASYNC; } else { statePtr->flags &= ~(TLS_TCL_ASYNC); } ~~return~~(0)~~;~~ return 0; } /* ------------------------------------------------------------------- * TlsClose2Proc -- *
︙
124 125 126 127 128 129 130 ~~131~~ 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 ~~147~~ 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163	124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164	- + - + +	errorCodePtr = 0; dprintf("WaitForConnect(%p)", statePtr); dprintFlags(statePtr); if (!(statePtr->flags & TLS_TCL_INIT)) { dprintf("Tls_WaitForConnect called on already initialized channel -- returning with immediate success"); ~~return~~(0)~~;~~ return 0; } if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) { / * Different types of operations have different requirements * SSL being established / if (handshakeFailureIsPermanent) { dprintf("Asked to wait for a TLS handshake that has already failed. Returning fatal error"); errorCodePtr = ECONNABORTED; } else { dprintf("Asked to wait for a TLS handshake that has already failed. Returning soft error"); errorCodePtr = ECONNRESET; } Tls_Error(statePtr, "Wait for failed handshake"); ~~return~~(-1)~~;~~ return -1; } for (;;) { ERR_clear_error(); / Not initialized yet! Also calls SSL_do_handshake. */ if (statePtr->flags & TLS_TCL_SERVER) { dprintf("Calling SSL_accept()"); err = SSL_accept(statePtr->ssl); } else { dprintf("Calling SSL_connect()"); err = SSL_connect(statePtr->ssl); } if (err > 0) { dprintf("Accept or connect was successful");
︙
195 196 197 198 199 200 201 ~~202~~ 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 ~~224~~ 225 226 227 228 229 230 231	196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233	- + + - +	if (bioShouldRetry) { dprintf("The I/O did not complete -- but we should try it again"); if (statePtr->flags & TLS_TCL_ASYNC) { dprintf("Returning EAGAIN so that it can be retried later"); errorCodePtr = EAGAIN; Tls_Error(statePtr, "Handshake not complete, will retry later"); ~~return~~(-1)~~;~~ return -1; } else { dprintf("Doing so now"); continue; } } dprintf("We have either completely established the session or completely failed it -- there is no more need to ever retry it though"); break; } switch (rc) { case SSL_ERROR_NONE: / The TLS/SSL I/O operation completed / dprintf("The connection is good"); errorCodePtr = 0; break; case SSL_ERROR_ZERO_RETURN: /* The TLS/SSL peer has closed the connection for writing by sending the close_notify alert / dprintf("SSL_ERROR_ZERO_RETURN: Connect returned an invalid value..."); errorCodePtr = EINVAL; Tls_Error(statePtr, "Peer has closed the connection for writing by sending the close_notify alert"); ~~return~~(-1)~~;~~ return -1; case SSL_ERROR_SYSCALL: /* Some non-recoverable, fatal I/O error occurred */ dprintf("SSL_ERROR_SYSCALL"); if (backingError == 0 && err == 0) { dprintf("EOF reached")
︙
247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 ~~265~~ 266 267 268 269 270 271 ~~272~~ 273 274 275 276 277 278 279	249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282	+ - + - +	errorCodePtr = ECONNABORTED; } Tls_Error(statePtr, (char ) ERR_reason_error_string(backingError)); } statePtr->flags \|= TLS_TCL_HANDSHAKE_FAILED; return -1; case SSL_ERROR_SSL: /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error / dprintf("SSL_ERROR_SSL: Got permanent fatal SSL error, aborting immediately"); if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) { Tls_Error(statePtr, (char ) X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl))); } if (backingError != 0) { Tls_Error(statePtr, (char ) ERR_reason_error_string(backingError)); } statePtr->flags \|= TLS_TCL_HANDSHAKE_FAILED; errorCodePtr = ECONNABORTED; ~~return~~(-1)~~;~~ return -1; default: /* The operation did not complete and should be retried later. / dprintf("Operation did not complete, call function again later: %i", rc); errorCodePtr = EAGAIN; dprintf("ERR(%d, %d) ", rc, errorCodePtr); Tls_Error(statePtr, "Operation did not complete, call function again later"); ~~return~~(-1)~~;~~ return -1; } dprintf("Removing the \"TLS_TCL_INIT\" flag since we have completed the handshake"); statePtr->flags &= ~TLS_TCL_INIT; dprintf("Returning in success"); errorCodePtr = 0;
︙
313 314 315 316 317 318 319 ~~320~~ 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 ~~336~~ 337 338 339 340 341 342 343	316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346	- + - +	errorCodePtr = 0; dprintf("BIO_read(%d)", bufSize); if (statePtr->flags & TLS_TCL_CALLBACK) { / don't process any bytes while verify callback is running / dprintf("Callback is running, reading 0 bytes"); ~~return~~(0)~~;~~ return 0; } dprintf("Calling Tls_WaitForConnect"); tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 0); if (tlsConnect < 0) { dprintf("Got an error waiting to connect (tlsConnect = %i, errorCodePtr = %i)", tlsConnect, errorCodePtr); Tls_Error(statePtr, strerror(errorCodePtr)); bytesRead = -1; if (errorCodePtr == ECONNRESET) { dprintf("Got connection reset"); / Soft EOF / errorCodePtr = 0; bytesRead = 0; } ~~return(bytesRead);~~ return bytesRead; } /* * We need to clear the SSL error stack now because we sometimes reach * this function with leftover errors in the stack. If BIO_read * returns -1 and intends EAGAIN, there is a leftover error, it will be * misconstrued as an error, not EAGAIN.
︙
363 364 365 366 367 368 369 370 371 372 373 374 375 376	366 367 368 369 370 371 372 373 374 375 376 377 378 379 380	+	} #endif switch (err) { case SSL_ERROR_NONE: dprintBuffer(buf, bytesRead); break; case SSL_ERROR_SSL: /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error / dprintf("SSL error, indicating that the connection has been aborted"); if (backingError != 0) { Tls_Error(statePtr, (char ) ERR_reason_error_string(backingError)); } else if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) { Tls_Error(statePtr, (char *) X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl)));
︙
475 476 477 478 479 480 481 ~~482~~ 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 ~~498~~ 499 500 501 502 503 504 505 506 507 508 509 510 ~~511~~ 512 513 514 515 ~~516~~ 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568	479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578	- + - + - + - + + + + + + +	dprintf("BIO_write(%p, %d)", (void ) statePtr, toWrite); dprintBuffer(buf, toWrite); if (statePtr->flags & TLS_TCL_CALLBACK) { dprintf("Don't process output while callbacks are running"); written = -1; errorCodePtr = EAGAIN; ~~return~~(-1)~~;~~ return -1; } dprintf("Calling Tls_WaitForConnect"); tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 1); if (tlsConnect < 0) { dprintf("Got an error waiting to connect (tlsConnect = %i, errorCodePtr = %i)", tlsConnect, errorCodePtr); Tls_Error(statePtr, strerror(errorCodePtr)); written = -1; if (errorCodePtr == ECONNRESET) { dprintf("Got connection reset"); /* Soft EOF / errorCodePtr = 0; written = 0; } ~~return(written);~~ return written; } if (toWrite == 0) { dprintf("zero-write"); err = BIO_flush(statePtr->bio); if (err <= 0) { dprintf("Flushing failed"); Tls_Error(statePtr, "Flush failed"); errorCodePtr = EIO; written = 0; ~~return~~(-1)~~;~~ return -1; } written = 0; errorCodePtr = 0; ~~return~~(0)~~;~~ return 0; } /* * We need to clear the SSL error stack now because we sometimes reach * this function with leftover errors in the stack. If BIO_write * returns -1 and intends EAGAIN, there is a leftover error, it will be * misconstrued as an error, not EAGAIN. * * Alternatively, we may want to handle the <0 return codes from * BIO_write specially (as advised in the RSA docs). TLS's lower level * BIO functions play with the retry flags though, and this seems to * work correctly. Similar fix in TlsInputProc. - hobbs / ERR_clear_error(); written = BIO_write(statePtr->bio, buf, toWrite); dprintf("BIO_write(%p, %d) -> [%d]", (void ) statePtr, toWrite, written); err = SSL_get_error(statePtr->ssl, written); backingError = ERR_get_error(); switch (err) { case SSL_ERROR_NONE: if (written < 0) { written = 0; } break; case SSL_ERROR_WANT_WRITE: dprintf("Got SSL_ERROR_WANT_WRITE, mapping it to EAGAIN"); errorCodePtr = EAGAIN; written = -1; Tls_Error(statePtr, "SSL_ERROR_WANT_WRITE"); break; case SSL_ERROR_WANT_READ: dprintf(" write R BLOCK"); Tls_Error(statePtr, "SSL_ERROR_WANT_READ"); break; case SSL_ERROR_WANT_X509_LOOKUP: dprintf(" write X BLOCK"); Tls_Error(statePtr, "SSL_ERROR_WANT_X509_LOOKUP"); break; case SSL_ERROR_ZERO_RETURN: dprintf(" closed"); written = 0; errorCodePtr = 0; Tls_Error(statePtr, "Peer has closed the connection for writing by sending the close_notify alert"); break; case SSL_ERROR_SYSCALL: /* Some non-recoverable, fatal I/O error occurred / if (backingError == 0 && written == 0) { dprintf("EOF reached") errorCodePtr = 0; written = 0;
︙
577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 ~~604~~ 605 606 607 608 609 610 611	587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623	+ + - +	} else { dprintf("I/O error occurred (backingError = %lu)", backingError); errorCodePtr = Tcl_GetErrno(); written = -1; Tls_Error(statePtr, (char ) ERR_reason_error_string(backingError)); } break; case SSL_ERROR_SSL: /* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error / dprintf("SSL error, indicating that the connection has been aborted"); if (backingError != 0) { Tls_Error(statePtr, (char ) ERR_reason_error_string(backingError)); } else if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) { Tls_Error(statePtr, (char ) X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl))); } else { Tls_Error(statePtr, "Unknown SSL error"); } errorCodePtr = ECONNABORTED; written = -1; break; default: dprintf("unknown error: %d", err); Tls_Error(statePtr, "Unknown error"); break; } dprintf("Output(%d) -> %d", toWrite, written); ~~return(written);~~ return written; } /* ------------------------------------------------------------------- * TlsSetOptionProc -- *
︙
795 796 797 798 799 800 801 ~~802~~ 803 804 805 806 807 808 809	807 808 809 810 811 812 813 814 815 816 817 818 819 820 821	- +	static int TlsGetHandleProc( void instanceData, / Socket state. / int direction, / TCL_READABLE or TCL_WRITABLE / void handlePtr) / Handle associated with the channel / { State statePtr = (State )instanceData; ~~return(Tcl_GetChannelHandle(Tls_GetParent(statePtr, TLS_TCL_FASTPATH), direction, handlePtr));~~ return Tcl_GetChannelHandle(Tls_GetParent(statePtr, TLS_TCL_FASTPATH), direction, handlePtr); } / ------------------------------------------------------------------- * TlsNotifyProc -- *
︙
860 861 862 863 864 865 866 ~~867~~ 868 869 870 871 872 873 874	872 873 874 875 876 877 878 879 880 881 882 883 884 885 886	- +	} dprintf("Tls_WaitForConnect returned an error"); } dprintf("Returning %i", mask); ~~return~~(mask)~~;~~ return mask; } /* ------------------------------------------------------ * * TlsChannelHandlerTimer -- *
︙
914 915 916 917 918 919 920 ~~921~~ 922 923 924 925 926 927 928	926 927 928 929 930 931 932 933 934 935 936 937 938 939 940	- +	} Tcl_Channel Tls_GetParent(State statePtr, int maskFlags) { dprintf("Requested to get parent of channel %p", statePtr->self); if ((statePtr->flags & ~maskFlags) & TLS_TCL_FASTPATH) { dprintf("Asked to get the parent channel while we are using FastPath -- returning NULL"); ~~return~~(NULL)~~;~~ return NULL; } return Tcl_GetStackedChannel(statePtr->self); } / -------------------------------------------------------------------
︙