TclTLS
Check-in [77c3091474]
Login
HomeTimelineDownloadBrowse SourceBranchesTagsTicketsWiki
Overview
Comment:Merged in trunk
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | wip-fix-io-layer
Files: files | file ages | folders
SHA1: 77c30914745c6ef5099d0f096de526b399ec0e45
User & Date: rkeene on 2016-12-12 22:29:14
Other Links: branch diff | manifest | tags
Context
2016-12-12
22:40
Merged in trunk check-in: 83a3aff031 user: rkeene tags: wip-fix-io-layer
22:29
Merged in trunk check-in: 77c3091474 user: rkeene tags: wip-fix-io-layer
22:28
Added hardening and debugging flags check-in: 8d5b3e826a user: rkeene tags: trunk
01:56
Disabled checking the client certificate and aborting if not found check-in: 916215af0a user: rkeene tags: wip-fix-io-layer
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Modified autogen.sh from [927c73a64e] to [d8561c1b95]. 

9
10
11
12
13
14
15

16
17
18
19
20
21
22

9
10
11
12
13
14
15
16
17
18
19
20
21
22
23








+








	curl diff cat mkdir rm mv automake autoconf
)

urls=(
	http://chiselapp.com/user/rkeene/repository/autoconf/doc/trunk/tcl.m4
	http://chiselapp.com/user/rkeene/repository/autoconf/doc/trunk/shobj.m4
	http://chiselapp.com/user/rkeene/repository/autoconf/doc/trunk/versionscript.m4
	'http://git.savannah.gnu.org/gitweb/?p=autoconf-archive.git;a=blob_plain;f=m4/ax_check_compile_flag.m4'
)

localFiles=(
	aclocal/tcltls_openssl.m4
)

failed='0'

Modified configure.in from [7c9a116cf5] to [8214883dcb]. 

104
105
106
107
108
109
110



111
112
113
114
115
116
117

104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120








+
+
+








AC_ARG_ENABLE([debug], AS_HELP_STRING([--enable-debug], [enable debugging parameters]), [
	if test "$enableval" = "yes"; then
		tcltls_debug='true'
	fi
])
if test "$tcltls_debug" = 'true'; then
	AC_DEFINE(TCLEXT_TCLTLS_DEBUG, [1], [Enable debugging build])
	AX_CHECK_COMPILE_FLAG([-fcheck-pointer-bounds], [CFLAGS="$CFLAGS -fcheck-pointer-bounds"])
	AX_CHECK_COMPILE_FLAG([-fsanitize=address], [CFLAGS="$CFLAGS -fsanitize=address"])
	AX_CHECK_COMPILE_FLAG([-fsanitize=undefined], [CFLAGS="$CFLAGS -fsanitize=undefined"])
fi

dnl Find "xxd" so we can build the tls.tcl.h file
AC_CHECK_PROG([XXD], [xxd], [xxd], [__xxd__not__found])

dnl Find "pkg-config" since we need to use it
AC_CHECK_TOOL([PKGCONFIG], [pkg-config], [false])

132
133
134
135
136
137
138





139
140
141
142
143
144
145

135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153








+
+
+
+
+








TCLEXT_TLS_STATIC_SSL='no'
AC_ARG_ENABLE([static-ssl], AS_HELP_STRING([--enable-static-ssl], [enable statically linking to the specified SSL library]), [
	if test "$enableval" = 'yes'; then
		TCLEXT_TLS_STATIC_SSL='yes'
	fi
])

dnl Enable hardening
AX_CHECK_COMPILE_FLAG([-fstack-protector-all], [CFLAGS="$CFLAGS -fstack-protector-all"])
AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CFLAGS="$CFLAGS -fno-strict-overflow"])
AC_DEFINE([_FORTIFY_SOURCE], [2], [Enable fortification])

dnl XXX:TODO: Automatically determine the SSL library to use
dnl           defaulting to OpenSSL for compatibility reasons
if test "$tcltls_ssl_lib" = 'auto'; then
	tcltls_ssl_lib='openssl'
fi

AC_MSG_CHECKING([which TLS library to use])

Modified gen_dh_params from [2fbb069da4] to [04b0a25d98]. 

98
99
100
101
102
103
104




105
106
107
108
109

98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113








+
+
+
+






# Enable support for giving the same DH params each time
if [ "$1" = 'fallback' ]; then
	gen_dh_params_fallback && exit 0

	exit 1
fi

echo "*****************************"
echo "** Generating DH Primes.   **"
echo "** This will take a while. **"
echo "*****************************"
gen_dh_params_openssl && exit 0
gen_dh_params_remote && exit 0
gen_dh_params_fallback && exit 0

exit 1

Modified tls.c from [2904872c77] to [21bebdaf3c]. 

61
62
63
64
65
66
67
68

69
70
71
72
73
74
75

61
62
63
64
65
66
67

68
69
70
71
72
73
74
75








-
+








static int	UnimportObjCmd(ClientData clientData,
			Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[]);

static SSL_CTX *CTX_Init(State *statePtr, int proto, char *key,
			char *cert, char *CAdir, char *CAfile, char *ciphers,
			char *DHparams);

static int	TlsLibInit(void);
static int	TlsLibInit(int uninitialize);

#define TLS_PROTO_SSL2		0x01
#define TLS_PROTO_SSL3		0x02
#define TLS_PROTO_TLS1		0x04
#define TLS_PROTO_TLS1_1	0x08
#define TLS_PROTO_TLS1_2	0x10
#define ENABLED(flag, mask)	(((flag) & (mask)) == (mask))

113
114
115
116
117
118
119
120
121
122
123

124
125
126
127


128
129
130

131
132
133
134
135
136





137
138
139

140
141
142

143
144
145
146
147
148
149

113
114
115
116
117
118
119




120
121
122


123
124
125


126






127
128
129
130
131
132
133

134



135
136
137
138
139
140
141
142








-
-
-
-
+


-
-
+
+

-
-
+
-
-
-
-
-
-
+
+
+
+
+


-
+
-
-
-
+








#include <openssl/crypto.h>

/*
 * Threaded operation requires locking callbacks
 * Based from /crypto/cryptlib.c of OpenSSL and NSOpenSSL.
 */

#ifndef CRYPTO_NUM_LOCKS
#define CRYPTO_NUM_LOCKS 128
#endif
static Tcl_Mutex locks[CRYPTO_NUM_LOCKS];
static Tcl_Mutex *locks = NULL;
static Tcl_Mutex init_mx;

static void          CryptoThreadLockCallback (int mode, int n, const char *file, int line);
static unsigned long CryptoThreadIdCallback   (void);
static void          CryptoThreadLockCallback(int mode, int n, const char *file, int line);
static unsigned long CryptoThreadIdCallback(void);

static void
CryptoThreadLockCallback(int mode, int n, const char *file, int line)
static void CryptoThreadLockCallback(int mode, int n, const char *file, int line) {
{
    if (mode & CRYPTO_LOCK) {
       Tcl_MutexLock(&locks[n]);
    } else {
       Tcl_MutexUnlock(&locks[n]);
    }
	if (mode & CRYPTO_LOCK) {
		Tcl_MutexLock(&locks[n]);
	} else {
		Tcl_MutexUnlock(&locks[n]);
	}
}

static unsigned long
static unsigned long CryptoThreadIdCallback(void) {
CryptoThreadIdCallback(void)
{
    return (unsigned long) Tcl_GetCurrentThread();
	return (unsigned long) Tcl_GetCurrentThread();
}
#endif /* OPENSSL_THREADS */
#endif /* TCL_THREADS */


/*
 *-------------------------------------------------------------------

1654
1655
1656
1657
1658
1659
1660
1661

1662
1663
1664
1665
1666
1667
1668

1647
1648
1649
1650
1651
1652
1653

1654
1655
1656
1657
1658
1659
1660
1661








-
+








#else
	    Tcl_PkgRequire(interp, "Tcl", "8.4", 0)
#endif
	     == NULL) {
		return TCL_ERROR;
	}

	if (TlsLibInit() != TCL_OK) {
	if (TlsLibInit(0) != TCL_OK) {
		Tcl_AppendResult(interp, "could not initialize SSL library", NULL);
		return TCL_ERROR;
	}

	Tcl_CreateObjCommand(interp, "tls::ciphers", CiphersObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);
	Tcl_CreateObjCommand(interp, "tls::handshake", HandshakeObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);
	Tcl_CreateObjCommand(interp, "tls::import", ImportObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);

1715
1716
1717
1718
1719
1720
1721
1722

1723
1724































1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744

1745
1746
1747
1748
1749
1750
1751
1752
1753
1754

1708
1709
1710
1711
1712
1713
1714

1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759


1760

1761


1762

1763



1764
1765
1766
1767
1768
1769
1770








-
+


+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+











-
-

-

-
-

-
+
-
-
-








 *		initilizes SSL library
 *
 *	Result:
 *		none
 *
 *------------------------------------------------------*
 */
static int TlsLibInit(void) {
static int TlsLibInit(int uninitialize) {
	static int initialized = 0;
	int status = TCL_OK;
#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
	size_t num_locks;
#endif

	if (uninitialize) {
		if (!initialized) {
			dprintf("Asked to uninitialize, but we are not initialized");

			return(TCL_OK);
		}

		dprintf("Asked to uninitialize");
#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
		Tcl_MutexLock(&init_mx);

		CRYPTO_set_locking_callback(NULL);
		CRYPTO_set_id_callback(NULL);

		if (locks) {
			free(locks);
			locks = NULL;
		}
#endif
		initialized = 0;

#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
		Tcl_MutexUnlock(&init_mx);
#endif

		return(TCL_OK);
	}

	if (initialized) {
		dprintf("Called, but using cached value");
		return(status);
	}

	dprintf("Called");

	initialized = 1;

#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
	size_t num_locks;

	Tcl_MutexLock(&init_mx);
#endif

#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
	/* should we consider allocating mutexes? */
	num_locks = CRYPTO_num_locks();
	if (num_locks > CRYPTO_NUM_LOCKS) {
	locks = malloc(sizeof(*locks) * num_locks);
		status = TCL_ERROR;
		goto done;
	}

	CRYPTO_set_locking_callback(CryptoThreadLockCallback);
	CRYPTO_set_id_callback(CryptoThreadIdCallback);
#endif

	if (SSL_library_init() != 1) {
		status = TCL_ERROR;

Powered by Fossil · RSS