| ︙ | | |
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
+
+
+
+
+
|
* Evaluates callback command
*
*-------------------------------------------------------------------
*/
static int
EvalCallback(Tcl_Interp *interp, State *statePtr, Tcl_Obj *cmdPtr) {
int code, ok = 0;
dprintf("Called");
Tcl_Preserve((ClientData) interp);
Tcl_Preserve((ClientData) statePtr);
/* Eval callback with success for ok or return value 1, fail for error or return value 0 */
Tcl_ResetResult(interp);
code = Tcl_EvalObjEx(interp, cmdPtr, TCL_EVAL_GLOBAL);
dprintf("EvalCallback: %d", code);
if (code == TCL_OK) {
/* Check result for return value */
Tcl_Obj *result = Tcl_GetObjResult(interp);
if (result == NULL || Tcl_GetIntFromObj(interp, result, &ok) != TCL_OK) {
ok = 1;
}
dprintf("Result: %d", ok);
} else {
/* Error - reject the certificate */
dprintf("Tcl_BackgroundError");
#if (TCL_MAJOR_VERSION == 8) && (TCL_MINOR_VERSION < 6)
Tcl_BackgroundError(interp);
#else
Tcl_BackgroundException(interp, code);
#endif
}
|
| ︙ | | |
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
|
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
|
-
+
+
-
+
+
+
+
+
+
|
* to a string describing the SSL negotiation failure reason
*
*-------------------------------------------------------------------
*/
static int
VerifyCallback(int ok, X509_STORE_CTX *ctx) {
Tcl_Obj *cmdPtr;
SSL *ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
SSL *ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
State *statePtr = (State*)SSL_get_app_data(ssl);
Tcl_Interp *interp = statePtr->interp;
int depth = X509_STORE_CTX_get_error_depth(ctx);
int err = X509_STORE_CTX_get_error(ctx);
dprintf("Called");
dprintf("Verify: %d", ok);
dprintf("VerifyCallback: %d", ok);
if (statePtr->vcmd == (Tcl_Obj*)NULL) {
/* Use ok value if verification is required */
if (statePtr->vflags & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
return ok;
} else {
return 1;
}
} else if (cert == NULL || ssl == NULL) {
return 0;
}
dprintf("VerifyCallback: eval callback");
/* Create command to eval */
cmdPtr = Tcl_DuplicateObj(statePtr->vcmd);
Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("verify", -1));
Tcl_ListObjAppendElement(interp, cmdPtr,
Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1));
Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(depth));
Tcl_ListObjAppendElement(interp, cmdPtr, Tls_NewX509Obj(interp, cert));
Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(ok));
Tcl_ListObjAppendElement(interp, cmdPtr,
Tcl_NewStringObj((char*)X509_verify_cert_error_string(err), -1));
/* Prevent I/O while callback is in progress */
/* statePtr->flags |= TLS_TCL_CALLBACK; */
/* Eval callback command */
Tcl_IncrRefCount(cmdPtr);
ok = EvalCallback(interp, statePtr, cmdPtr);
Tcl_DecrRefCount(cmdPtr);
dprintf("VerifyCallback: command result = %d", ok);
/* statePtr->flags &= ~(TLS_TCL_CALLBACK); */
return(ok); /* By default, leave verification unchanged. */
}
�
/*
*-------------------------------------------------------------------
|
| ︙ | | |
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
|
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
|
-
-
-
-
|
ret = Tls_WaitForConnect(statePtr, &err, 1);
dprintf("Tls_WaitForConnect returned: %i", ret);
if (ret < 0 && ((statePtr->flags & TLS_TCL_ASYNC) && (err == EAGAIN))) {
dprintf("Async set and err = EAGAIN");
ret = 0;
} else if (ret < 0) {
long result;
if ((result = SSL_get_verify_result(statePtr->ssl)) != X509_V_OK) {
Tcl_AppendResult(interp, " due to: ", X509_verify_cert_error_string(result), (char *) NULL);
}
|
| ︙ | | |
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
|
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
|
-
+
+
-
+
-
+
-
+
-
+
|
Tcl_GetChannelOption(interp, chan, "-eofchar", &upperChannelEOFChar);
Tcl_GetChannelOption(interp, chan, "-encoding", &upperChannelEncoding);
Tcl_GetChannelOption(interp, chan, "-translation", &upperChannelTranslation);
Tcl_GetChannelOption(interp, chan, "-blocking", &upperChannelBlocking);
Tcl_SetChannelOption(interp, chan, "-translation", "binary");
Tcl_SetChannelOption(interp, chan, "-blocking", "true");
dprintf("Consuming Tcl channel %s", Tcl_GetChannelName(chan));
statePtr->self = Tcl_StackChannel(interp, Tls_ChannelType(), (ClientData) statePtr, (TCL_READABLE | TCL_WRITABLE), chan);
statePtr->self = Tcl_StackChannel(interp, Tls_ChannelType(), (ClientData) statePtr,
(TCL_READABLE | TCL_WRITABLE), chan);
dprintf("Created channel named %s", Tcl_GetChannelName(statePtr->self));
if (statePtr->self == (Tcl_Channel) NULL) {
/*
* No use of Tcl_EventuallyFree because no possible Tcl_Preserve.
*/
Tls_Free((char *) statePtr);
return TCL_ERROR;
}
Tcl_SetChannelOption(interp, statePtr->self, "-translation", Tcl_DStringValue(&upperChannelTranslation));
Tcl_SetChannelOption(interp, statePtr->self, "-encoding", Tcl_DStringValue(&upperChannelEncoding));
Tcl_SetChannelOption(interp, statePtr->self, "-eofchar", Tcl_DStringValue(&upperChannelEOFChar));
Tcl_SetChannelOption(interp, statePtr->self, "-blocking", Tcl_DStringValue(&upperChannelBlocking));
/*
* SSL Initialization
*/
statePtr->ssl = SSL_new(statePtr->ctx);
if (!statePtr->ssl) {
/* SSL library error */
Tcl_AppendResult(interp, "couldn't construct ssl session: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "couldn't construct ssl session: ", GET_ERR_REASON(), (char *) NULL);
Tcl_SetErrorCode(interp, "TLS", "IMPORT", "INIT", "FAILED", (char *) NULL);
Tls_Free((char *) statePtr);
return TCL_ERROR;
}
/* Set host server name */
if (servername) {
/* Sets the server name indication (SNI) in ClientHello extension */
/* Per RFC 6066, hostname is a ASCII encoded string, though RFC 4366 says UTF-8. */
if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) {
Tcl_AppendResult(interp, "setting TLS host name extension failed", (char *) NULL);
Tcl_AppendResult(interp, "Set SNI extension failed: ", GET_ERR_REASON(), (char *) NULL);
Tcl_SetErrorCode(interp, "TLS", "IMPORT", "SNI", "FAILED", (char *) NULL);
Tls_Free((char *) statePtr);
return TCL_ERROR;
}
/* Set hostname for peer certificate hostname verification in clients.
Don't use SSL_set1_host since it has limitations. */
if (!SSL_add1_host(statePtr->ssl, servername)) {
Tcl_AppendResult(interp, "setting DNS host name failed", (char *) NULL);
Tcl_AppendResult(interp, "Set DNS hostname failed: ", GET_ERR_REASON(), (char *) NULL);
Tcl_SetErrorCode(interp, "TLS", "IMPORT", "HOSTNAME", "FAILED", (char *) NULL);
Tls_Free((char *) statePtr);
return TCL_ERROR;
}
}
/* Resume session id */
if (session_id && sess_len <= SSL_MAX_SID_CTX_LENGTH) {
/* SSL_set_session() */
if (!SSL_SESSION_set1_id_context(SSL_get_session(statePtr->ssl), session_id, (unsigned int) sess_len)) {
Tcl_AppendResult(interp, "Resume session id ", session_id, " failed", (char *) NULL);
Tcl_AppendResult(interp, "Resume session failed: ", GET_ERR_REASON(), (char *) NULL);
Tcl_SetErrorCode(interp, "TLS", "IMPORT", "SESSION", "FAILED", (char *) NULL);
Tls_Free((char *) statePtr);
return TCL_ERROR;
}
}
/* Enable Application-Layer Protocol Negotiation. Examples are: http/1.0,
|
| ︙ | | |
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
|
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
|
-
+
-
+
|
return TCL_ERROR;
}
/* Determine the memory required for the protocol-list */
for (i = 0; i < cnt; i++) {
Tcl_GetStringFromObj(list[i], &len);
if (len > 255) {
Tcl_AppendResult(interp, "ALPN protocol name too long", (char *) NULL);
Tcl_AppendResult(interp, "ALPN protocol names too long", (char *) NULL);
Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char *) NULL);
Tls_Free((char *) statePtr);
return TCL_ERROR;
}
protos_len += 1 + (int) len;
}
/* Build the complete protocol-list */
protos = ckalloc(protos_len);
/* protocol-lists consist of 8-bit length-prefixed, byte strings */
for (j = 0, p = protos; j < cnt; j++) {
char *str = Tcl_GetStringFromObj(list[j], &len);
*p++ = (unsigned char) len;
memcpy(p, str, (size_t) len);
p += len;
}
/* SSL_set_alpn_protos makes a copy of the protocol-list */
/* Note: This functions reverses the return value convention */
if (SSL_set_alpn_protos(statePtr->ssl, protos, protos_len)) {
Tcl_AppendResult(interp, "failed to set ALPN protocols", (char *) NULL);
Tcl_AppendResult(interp, "Set ALPN protocols failed: ", GET_ERR_REASON(), (char *) NULL);
Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char *) NULL);
Tls_Free((char *) statePtr);
ckfree(protos);
return TCL_ERROR;
}
/* Store protocols list */
|
| ︙ | | |
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
|
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
|
-
+
-
+
-
+
-
+
|
}
SSL_CTX_set_tmp_dh(ctx, dh);
DH_free(dh);
} else {
/* Use well known DH parameters that have built-in support in OpenSSL */
if (!SSL_CTX_set_dh_auto(ctx, 1)) {
Tcl_AppendResult(interp, "Could not enable set DH auto: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Could not enable set DH auto: ", GET_ERR_REASON(), (char *) NULL);
SSL_CTX_free(ctx);
return NULL;
}
}
}
#endif
/* set our certificate */
load_private_key = 0;
if (certfile != NULL) {
load_private_key = 1;
Tcl_DStringInit(&ds);
if (SSL_CTX_use_certificate_file(ctx, F2N(certfile, &ds), SSL_FILETYPE_PEM) <= 0) {
Tcl_DStringFree(&ds);
Tcl_AppendResult(interp, "unable to set certificate file ", certfile, ": ",
REASON(), (char *) NULL);
GET_ERR_REASON(), (char *) NULL);
SSL_CTX_free(ctx);
return NULL;
}
} else if (cert != NULL) {
load_private_key = 1;
if (SSL_CTX_use_certificate_ASN1(ctx, cert_len, cert) <= 0) {
Tcl_DStringFree(&ds);
Tcl_AppendResult(interp, "unable to set certificate: ",
REASON(), (char *) NULL);
GET_ERR_REASON(), (char *) NULL);
SSL_CTX_free(ctx);
return NULL;
}
} else {
certfile = (char*)X509_get_default_cert_file();
if (SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM) <= 0) {
#if 0
Tcl_DStringFree(&ds);
Tcl_AppendResult(interp, "unable to use default certificate file ", certfile, ": ",
REASON(), (char *) NULL);
GET_ERR_REASON(), (char *) NULL);
SSL_CTX_free(ctx);
return NULL;
#endif
}
}
/* set our private key */
|
| ︙ | | |
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
|
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
|
-
+
-
+
|
}
if (SSL_CTX_use_PrivateKey_file(ctx, F2N(keyfile, &ds), SSL_FILETYPE_PEM) <= 0) {
Tcl_DStringFree(&ds);
/* flush the passphrase which might be left in the result */
Tcl_SetResult(interp, NULL, TCL_STATIC);
Tcl_AppendResult(interp, "unable to set public key file ", keyfile, " ",
REASON(), (char *) NULL);
Tcl_AppendResult(interp, "unable to set public key: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "unable to set public key: ", GET_ERR_REASON(), (char *) NULL);
SSL_CTX_free(ctx);
return NULL;
}
}
/* Now we know that a key and cert have been set against
* the SSL context */
if (!SSL_CTX_check_private_key(ctx)) {
|
| ︙ | | |
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
|
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
|
-
+
|
/* int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx) and int SSL_CTX_set_default_verify_file(SSL_CTX *ctx) */
if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CAdir, &ds1)) ||
!SSL_CTX_set_default_verify_paths(ctx)) {
#if 0
Tcl_DStringFree(&ds);
Tcl_DStringFree(&ds1);
/* Don't currently care if this fails */
Tcl_AppendResult(interp, "SSL default verify paths: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "SSL default verify paths: ", GET_ERR_REASON(), (char *) NULL);
SSL_CTX_free(ctx);
return NULL;
#endif
}
/* https://sourceforge.net/p/tls/bugs/57/ */
/* XXX:TODO: Let the user supply values here instead of something that exists on the filesystem */
|
| ︙ | | |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
-
+
+
-
+
|
/*
* Copyright (C) 1997-2000 Matt Newman <[email protected]>
*
* Provides BIO layer to interface openssl to Tcl.
* Provides BIO layer to interface OpenSSL to TCL.
*/
#include "tlsInt.h"
/* Called by SSL_write() */
static int BioWrite(BIO *bio, const char *buf, int bufLen) {
Tcl_Channel chan;
Tcl_Size ret;
int tclEofChan, tclErrno;
chan = Tls_GetParent((State *) BIO_get_data(bio), 0);
dprintf("[chan=%p] BioWrite(%p, <buf>, %d)", (void *)chan, (void *) bio, bufLen);
ret = Tcl_WriteRaw(chan, buf, (Tcl_Size) bufLen);
tclEofChan = Tcl_Eof(chan);
tclErrno = Tcl_GetErrno();
dprintf("[chan=%p] BioWrite(%d) -> %" TCL_SIZE_MODIFIER "d [tclEof=%d; tclErrno=%d]",
(void *) chan, bufLen, ret, tclEofChan, Tcl_GetErrno());
(void *) chan, bufLen, ret, tclEofChan, tclErrno);
BIO_clear_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);
if (tclEofChan && ret <= 0) {
dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF");
Tcl_SetErrno(ECONNRESET);
ret = 0;
|
| ︙ | | |
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
-
+
+
|
if (tclErrno == EAGAIN) {
dprintf("It's EAGAIN");
} else {
dprintf("It's an unexpected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno);
}
} else {
dprintf("Successfully wrote some data");
dprintf("Successfully wrote %" TCL_SIZE_MODIFIER "d bytes of data", ret);
}
if (ret != -1 || (ret == -1 && tclErrno == EAGAIN)) {
if (BIO_should_read(bio)) {
dprintf("Setting should retry read flag");
BIO_set_retry_read(bio);
}
}
return((int) ret);
}
/* Called by SSL_read()*/
static int BioRead(BIO *bio, char *buf, int bufLen) {
Tcl_Channel chan;
Tcl_Size ret = 0;
int tclEofChan, tclErrno;
chan = Tls_GetParent((State *) BIO_get_data(bio), 0);
|
| ︙ | | |
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
-
+
-
+
|
if (tclErrno == EAGAIN) {
dprintf("It's EAGAIN");
} else {
dprintf("It's an unexpected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno);
}
} else {
dprintf("Successfully read some data");
dprintf("Successfully read %" TCL_SIZE_MODIFIER "d bytes of data", ret);
}
if (ret != -1 || (ret == -1 && tclErrno == EAGAIN)) {
if (BIO_should_write(bio)) {
dprintf("Setting should retry write flag");
BIO_set_retry_write(bio);
}
}
dprintf("BioRead(%p, <buf>, %d) [%p] returning %" TCL_SIZE_MODIFIER "d", (void *) bio,
bufLen, (void *) chan, ret);
return((int) ret);
}
static int BioPuts(BIO *bio, const char *str) {
dprintf("BioPuts(%p, <string:%p>) called", bio, str);
return BioWrite(bio, str, (int) strlen(str));
return(BioWrite(bio, str, (int) strlen(str)));
}
static long BioCtrl(BIO *bio, int cmd, long num, void *ptr) {
Tcl_Channel chan;
long ret = 1;
chan = Tls_GetParent((State *) BIO_get_data(bio), 0);
|
| ︙ | | |
| ︙ | | |
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
|
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
|
-
+
|
break;
case TYPE_CMAC:
res = CMAC_Init(statePtr->cctx, key, (int) key_len, cipher, NULL);
break;
}
if (!res) {
Tcl_AppendResult(interp, "Initialize failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Initialize failed: ", GET_ERR_REASON(), (char *) NULL);
return TCL_ERROR;
}
return TCL_OK;
}
/*
*-------------------------------------------------------------------
|
| ︙ | | |
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
|
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
|
-
+
|
break;
case TYPE_CMAC:
res = CMAC_Update(statePtr->cctx, buf, (size_t) read);
break;
}
if (!res && do_result) {
Tcl_AppendResult(statePtr->interp, "Update failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(statePtr->interp, "Update failed: ", GET_ERR_REASON(), (char *) NULL);
return TCL_ERROR;
}
return TCL_OK;
}
/*
*-------------------------------------------------------------------
|
| ︙ | | |
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
|
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
|
-
+
|
res = CMAC_Final(statePtr->cctx, md_buf, &size);
md_len = (int) size;
break;
}
if (!res) {
if (resultObj == NULL) {
Tcl_AppendResult(interp, "Finalize failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Finalize failed: ", GET_ERR_REASON(), (char *) NULL);
}
return TCL_ERROR;
}
/* Return message digest as either a binary or hex string */
if (statePtr->format & BIN_FORMAT) {
if (resultObj == NULL) {
|
| ︙ | | |
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
|
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
|
-
+
-
+
|
parent = Tcl_GetStackedChannel(statePtr->self);
read = Tcl_ReadRaw(parent, buf, (Tcl_Size) toRead);
/* Update hash function */
if (read > 0) {
/* Have data */
if (DigestUpdate(statePtr, buf, read, 0) != TCL_OK) {
Tcl_SetChannelError(statePtr->self, Tcl_ObjPrintf("Update failed: %s", REASON()));
Tcl_SetChannelError(statePtr->self, Tcl_ObjPrintf("Update failed: %s", GET_ERR_REASON()));
*errorCodePtr = EINVAL;
return 0;
}
/* This is correct */
read = -1;
*errorCodePtr = EAGAIN;
} else if (read < 0) {
/* Error */
*errorCodePtr = Tcl_GetErrno();
} else if (!(statePtr->flags & CHAN_EOF)) {
/* EOF */
Tcl_Obj *resultObj;
if (DigestFinalize(statePtr->interp, statePtr, &resultObj) == TCL_OK) {
unsigned char *data = Tcl_GetByteArrayFromObj(resultObj, &read);
memcpy(buf, data, (int) read);
Tcl_DecrRefCount(resultObj);
} else {
Tcl_SetChannelError(statePtr->self, Tcl_ObjPrintf("Finalize failed: %s", REASON()));
Tcl_SetChannelError(statePtr->self, Tcl_ObjPrintf("Finalize failed: %s", GET_ERR_REASON()));
*errorCodePtr = EINVAL;
read = 0;
}
statePtr->flags |= CHAN_EOF;
}
return (int) read;
}
|
| ︙ | | |
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
|
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
|
-
+
|
/* Abort if nothing to process */
if (toWrite <= 0 || statePtr->self == (Tcl_Channel) NULL) {
return 0;
}
/* Update hash function */
if (DigestUpdate(statePtr, buf, (Tcl_Size) toWrite, 0) != TCL_OK) {
Tcl_SetChannelError(statePtr->self, Tcl_ObjPrintf("Update failed: %s", REASON()));
Tcl_SetChannelError(statePtr->self, Tcl_ObjPrintf("Update failed: %s", GET_ERR_REASON()));
*errorCodePtr = EINVAL;
return 0;
}
return toWrite;
}
/*
|
| ︙ | | |
| ︙ | | |
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
|
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
|
-
+
|
if (type == TYPE_ENCRYPT) {
res = EVP_EncryptInit_ex(*ctx, cipher, NULL, key, iv);
} else {
res = EVP_DecryptInit_ex(*ctx, cipher, NULL, key, iv);
}
if(!res) {
Tcl_AppendResult(interp, "Initialize failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Initialize failed: ", GET_ERR_REASON(), (char *) NULL);
return TCL_ERROR;
}
/* Erase buffers */
memset(key, 0, EVP_MAX_KEY_LENGTH);
memset(iv, 0, EVP_MAX_IV_LENGTH);
return TCL_OK;
|
| ︙ | | |
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
|
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
|
-
+
|
} else {
res = EVP_DecryptUpdate(ctx, out_buf, out_len, data, (int) data_len);
}
if (res) {
return TCL_OK;
} else {
Tcl_AppendResult(interp, "Update failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Update failed: ", GET_ERR_REASON(), (char *) NULL);
return TCL_ERROR;
}
}
/*
*-------------------------------------------------------------------
*
|
| ︙ | | |
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
|
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
|
-
+
|
} else {
res = EVP_DecryptFinal_ex(ctx, out_buf, out_len);
}
if (res) {
return TCL_OK;
} else {
Tcl_AppendResult(interp, "Finalize failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Finalize failed: ", GET_ERR_REASON(), (char *) NULL);
return TCL_ERROR;
}
}
/*******************************************************************/
/*
|
| ︙ | | |
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
|
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
|
-
+
-
+
|
if (out_len > 0) {
read = (Tcl_Size) out_len;
} else {
*errorCodePtr = EAGAIN;
read = -1;
}
} else {
Tcl_SetChannelError(statePtr->self, Tcl_ObjPrintf("Update failed: %s", REASON()));
Tcl_SetChannelError(statePtr->self, Tcl_ObjPrintf("Update failed: %s", GET_ERR_REASON()));
*errorCodePtr = EINVAL;
read = 0;
}
} else if (read < 0) {
/* Error */
*errorCodePtr = Tcl_GetErrno();
} else if (!(statePtr->flags & CHAN_EOF)) {
/* EOF - Finalize function and put any remaining data in buf */
if (EncryptFinalize(statePtr->interp, statePtr->type, statePtr->ctx, buf, &out_len) == TCL_OK) {
read = (Tcl_Size) out_len;
} else {
Tcl_SetChannelError(statePtr->self, Tcl_ObjPrintf("Finalize failed: %s", REASON()));
Tcl_SetChannelError(statePtr->self, Tcl_ObjPrintf("Finalize failed: %s", GET_ERR_REASON()));
*errorCodePtr = EINVAL;
read = 0;
}
statePtr->flags |= CHAN_EOF;
}
Tcl_Free(in_buf);
|
| ︙ | | |
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
|
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
|
-
+
|
write = toWrite;
} else {
*errorCodePtr = EAGAIN;
write = -1;
}
} else {
Tcl_SetChannelError(statePtr->self, Tcl_ObjPrintf("Update failed: %s", REASON()));
Tcl_SetChannelError(statePtr->self, Tcl_ObjPrintf("Update failed: %s", GET_ERR_REASON()));
*errorCodePtr = EINVAL;
write = 0;
}
Tcl_Free(out_buf);
return write;
}
|
| ︙ | | |
| ︙ | | |
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
|
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
|
+
+
+
-
-
+
+
+
-
-
-
+
+
+
+
+
|
if (handshakeFailureIsPermanent) {
dprintf("Asked to wait for a TLS handshake that has already failed. Returning fatal error");
*errorCodePtr = ECONNABORTED;
} else {
dprintf("Asked to wait for a TLS handshake that has already failed. Returning soft error");
*errorCodePtr = ECONNRESET;
}
Tls_Error(statePtr, "Wait for failed handshake");
return(-1);
}
for (;;) {
ERR_clear_error();
/* Not initialized yet! Also calls SSL_do_handshake. */
if (statePtr->flags & TLS_TCL_SERVER) {
dprintf("Calling SSL_accept()");
err = SSL_accept(statePtr->ssl);
} else {
dprintf("Calling SSL_connect()");
err = SSL_connect(statePtr->ssl);
}
if (err > 0) {
dprintf("That seems to have gone okay");
dprintf("Got error: %i (rc = %i)", err, rc);
dprintf("Got error: %s", REASON());
backingError = ERR_get_error();
if (rc != SSL_ERROR_NONE) {
dprintf("Got error: %i (rc = %i)", err, rc);
dprintf("Got error: %s", GET_ERR_REASON());
}
bioShouldRetry = 0;
if (err <= 0) {
if (rc == SSL_ERROR_WANT_CONNECT || rc == SSL_ERROR_WANT_ACCEPT || rc == SSL_ERROR_WANT_READ || rc == SSL_ERROR_WANT_WRITE) {
bioShouldRetry = 1;
} else if (BIO_should_retry(statePtr->bio)) {
bioShouldRetry = 1;
|
| ︙ | | |
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
|
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
|
-
-
-
-
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
-
-
+
+
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
|
}
if (bioShouldRetry) {
dprintf("The I/O did not complete -- but we should try it again");
if (statePtr->flags & TLS_TCL_ASYNC) {
dprintf("Returning EAGAIN so that it can be retried later");
/* The connection is up, we are done here */
dprintf("The connection is up");
/* The TLS/SSL I/O operation completed */
dprintf("The connection is good");
*errorCodePtr = 0;
break;
case SSL_ERROR_ZERO_RETURN:
/* The TLS/SSL peer has closed the connection for writing by sending the close_notify alert */
dprintf("SSL_ERROR_ZERO_RETURN: Connect returned an invalid value...");
*errorCodePtr = EINVAL;
Tls_Error(statePtr, "Peer has closed the connection for writing by sending the close_notify alert");
return(-1);
case SSL_ERROR_SYSCALL:
backingError = ERR_get_error();
/* Some non-recoverable, fatal I/O error occurred */
dprintf("SSL_ERROR_SYSCALL");
if (backingError == 0 && err == 0) {
dprintf("EOF reached")
*errorCodePtr = ECONNRESET;
Tls_Error(statePtr, "(unexpected) EOF reached");
} else if (backingError == 0 && err == -1) {
dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno());
*errorCodePtr = Tcl_GetErrno();
if (*errorCodePtr == ECONNRESET) {
*errorCodePtr = ECONNABORTED;
}
Tls_Error(statePtr, Tcl_ErrnoMsg(Tcl_GetErrno()));
} else {
dprintf("I/O error occurred (backingError = %lu)", backingError);
*errorCodePtr = backingError;
if (*errorCodePtr == ECONNRESET) {
*errorCodePtr = ECONNABORTED;
}
Tls_Error(statePtr, ERR_reason_error_string(backingError));
}
statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
return(-1);
case SSL_ERROR_SSL:
/* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */
dprintf("Got permanent fatal SSL error, aborting immediately");
Tls_Error(statePtr, (char *)REASON());
dprintf("SSL_ERROR_SSL: Got permanent fatal SSL error, aborting immediately");
if (backingError != 0) {
Tls_Error(statePtr, ERR_reason_error_string(backingError));
}
if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) {
Tls_Error(statePtr, X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl)));
}
statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
*errorCodePtr = ECONNABORTED;
return(-1);
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_X509_LOOKUP:
case SSL_ERROR_WANT_CONNECT:
case SSL_ERROR_WANT_ACCEPT:
case SSL_ERROR_WANT_X509_LOOKUP:
case SSL_ERROR_WANT_ASYNC:
case SSL_ERROR_WANT_ASYNC_JOB:
case SSL_ERROR_WANT_CLIENT_HELLO_CB:
default:
/* The operation did not complete and should be retried later. */
dprintf("We got a confusing reply: %i", rc);
*errorCodePtr = Tcl_GetErrno();
dprintf("Operation did not complete, call function again later: %i", rc);
*errorCodePtr = EAGAIN;
dprintf("ERR(%d, %d) ", rc, *errorCodePtr);
return(-1);
}
#if 0
if (statePtr->flags & TLS_TCL_SERVER) {
dprintf("This is an TLS server, checking the certificate for the peer");
err = SSL_get_verify_result(statePtr->ssl);
if (err != X509_V_OK) {
dprintf("Invalid certificate, returning in failure");
Tls_Error(statePtr, (char *)X509_verify_cert_error_string(err));
statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
*errorCodePtr = ECONNABORTED;
}
}
#endif
|
| ︙ | | |
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
|
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
|
+
+
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
-
+
+
+
+
+
+
+
+
|
* correctly. Similar fix in TlsOutputProc. - hobbs
*/
ERR_clear_error();
bytesRead = BIO_read(statePtr->bio, buf, bufSize);
dprintf("BIO_read -> %d", bytesRead);
err = SSL_get_error(statePtr->ssl, bytesRead);
backingError = ERR_get_error();
#if 0
if (bytesRead <= 0) {
if (BIO_should_retry(statePtr->bio)) {
dprintf("I/O failed, will retry based on EAGAIN");
*errorCodePtr = EAGAIN;
}
}
#endif
switch (err) {
case SSL_ERROR_NONE:
dprintBuffer(buf, bytesRead);
break;
case SSL_ERROR_SSL:
/* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */
dprintf("SSL negotiation error, indicating that the connection has been aborted");
Tls_Error(statePtr, TCLTLS_SSL_ERROR(statePtr->ssl, bytesRead));
*errorCodePtr = ECONNABORTED;
bytesRead = -1;
dprintf("SSL error, indicating that the connection has been aborted");
if (backingError != 0) {
Tls_Error(statePtr, ERR_reason_error_string(backingError));
}
*errorCodePtr = ECONNABORTED;
bytesRead = -1;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
/* Unexpected EOF from the peer for OpenSSL 3.0+ */
if (ERR_GET_REASON(backingError) == SSL_R_UNEXPECTED_EOF_WHILE_READING) {
dprintf("(Unexpected) EOF reached")
*errorCodePtr = 0;
bytesRead = 0;
Tls_Error(statePtr, "EOF reached");
}
#endif
break;
case SSL_ERROR_SYSCALL:
backingError = ERR_get_error();
dprintf("EOF reached")
dprintf("(Unexpected) EOF reached")
*errorCodePtr = 0;
bytesRead = 0;
Tls_Error(statePtr, "EOF reached");
} else if (backingError == 0 && bytesRead == -1) {
dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno());
*errorCodePtr = Tcl_GetErrno();
bytesRead = -1;
Tls_Error(statePtr, Tcl_ErrnoMsg(Tcl_GetErrno()));
} else {
dprintf("I/O error occurred (backingError = %lu)", backingError);
*errorCodePtr = backingError;
bytesRead = -1;
Tls_Error(statePtr, ERR_reason_error_string(backingError));
}
break;
case SSL_ERROR_ZERO_RETURN:
dprintf("Got SSL_ERROR_ZERO_RETURN, this means an EOF has been reached");
bytesRead = 0;
*errorCodePtr = 0;
Tls_Error(statePtr, "Peer has closed the connection for writing by sending the close_notify alert");
break;
case SSL_ERROR_WANT_READ:
dprintf("Got SSL_ERROR_WANT_READ, mapping this to EAGAIN");
bytesRead = -1;
*errorCodePtr = EAGAIN;
Tls_Error(statePtr, "SSL_ERROR_WANT_READ");
break;
default:
dprintf("Unknown error (err = %i), mapping to EOF", err);
*errorCodePtr = 0;
bytesRead = 0;
break;
|
| ︙ | | |
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
|
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
|
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
-
+
+
-
+
|
* work correctly. Similar fix in TlsInputProc. - hobbs
*/
ERR_clear_error();
written = BIO_write(statePtr->bio, buf, toWrite);
dprintf("BIO_write(%p, %d) -> [%d]", (void *) statePtr, toWrite, written);
err = SSL_get_error(statePtr->ssl, written);
backingError = ERR_get_error();
switch (err) {
case SSL_ERROR_NONE:
if (written < 0) {
written = 0;
}
break;
case SSL_ERROR_WANT_WRITE:
dprintf("Got SSL_ERROR_WANT_WRITE, mapping it to EAGAIN");
*errorCodePtr = EAGAIN;
written = -1;
Tls_Error(statePtr, "SSL_ERROR_WANT_WRITE");
break;
case SSL_ERROR_WANT_READ:
dprintf(" write R BLOCK");
Tls_Error(statePtr, "SSL_ERROR_WANT_READ");
break;
case SSL_ERROR_WANT_X509_LOOKUP:
dprintf(" write X BLOCK");
Tls_Error(statePtr, "SSL_ERROR_WANT_X509_LOOKUP");
break;
case SSL_ERROR_ZERO_RETURN:
dprintf(" closed");
written = 0;
*errorCodePtr = 0;
Tls_Error(statePtr, "Peer has closed the connection for writing by sending the close_notify alert");
break;
case SSL_ERROR_SYSCALL:
backingError = ERR_get_error();
Tls_Error(statePtr, TCLTLS_SSL_ERROR(statePtr->ssl, written));
Tls_Error(statePtr, ERR_reason_error_string(backingError));
}
*errorCodePtr = ECONNABORTED;
written = -1;
break;
default:
dprintf(" unknown err: %d", err);
dprintf("unknown error: %d", err);
break;
}
if (*errorCodePtr < 0) {
Tls_Error(statePtr, strerror(*errorCodePtr));
}
dprintf("Output(%d) -> %d", toWrite, written);
|
| ︙ | | |
| ︙ | | |
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
-
+
|
iklen = EVP_CIPHER_key_length(cipher);
ivlen = EVP_CIPHER_iv_length(cipher);
dk_len = iklen+ivlen;
}
/* Derive key */
if (!PKCS5_PBKDF2_HMAC(pass, (int) pass_len, salt, (int) salt_len, iter, md, dk_len, tmpkeyiv)) {
Tcl_AppendResult(interp, "Key derivation failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Key derivation failed: ", GET_ERR_REASON(), (char *) NULL);
return TCL_ERROR;
}
/* Set result to key and iv */
if (cipher == NULL) {
Tcl_SetObjResult(interp, Tcl_NewByteArrayObj(tmpkeyiv, (Tcl_Size) dk_len));
} else {
|
| ︙ | | |
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
|
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
|
-
+
-
+
-
+
-
+
-
+
-
+
|
pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
if (pctx == NULL) {
Tcl_AppendResult(interp, "Memory allocation error", (char *) NULL);
goto error;
}
if (EVP_PKEY_derive_init(pctx) < 1) {
Tcl_AppendResult(interp, "Initialize failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Initialize failed: ", GET_ERR_REASON(), (char *) NULL);
goto error;
}
/* Set config parameters */
if (EVP_PKEY_CTX_set_hkdf_md(pctx, md) < 1) {
Tcl_AppendResult(interp, "Set digest failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Set digest failed: ", GET_ERR_REASON(), (char *) NULL);
goto error;
}
if (EVP_PKEY_CTX_set1_hkdf_key(pctx, key, (int) key_len) < 1) {
Tcl_AppendResult(interp, "Set key failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Set key failed: ", GET_ERR_REASON(), (char *) NULL);
goto error;
}
if (salt != NULL && EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, (int) salt_len) < 1) {
Tcl_AppendResult(interp, "Set salt failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Set salt failed: ", GET_ERR_REASON(), (char *) NULL);
goto error;
}
if (info != NULL && EVP_PKEY_CTX_add1_hkdf_info(pctx, info, (int) info_len) < 1) {
Tcl_AppendResult(interp, "Set info failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Set info failed: ", GET_ERR_REASON(), (char *) NULL);
goto error;
}
/* Get buffer */
resultObj = Tcl_NewObj();
if ((out = Tcl_SetByteArrayLength(resultObj, (Tcl_Size) dk_len)) == NULL) {
Tcl_AppendResult(interp, "Memory allocation error", (char *) NULL);
goto error;
}
out_len = (size_t) dk_len;
/* Derive key */
if (EVP_PKEY_derive(pctx, out, &out_len) > 0) {
/* Shrink buffer to actual size */
Tcl_SetByteArrayLength(resultObj, (Tcl_Size) out_len);
Tcl_SetObjResult(interp, resultObj);
res = TCL_OK;
goto done;
} else {
Tcl_AppendResult(interp, "Key derivation failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Key derivation failed: ", GET_ERR_REASON(), (char *) NULL);
Tcl_DecrRefCount(resultObj);
}
error:
res = TCL_ERROR;
done:
if (pctx != NULL) {
|
| ︙ | | |
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
|
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
|
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
|
pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL);
if (pctx == NULL) {
Tcl_AppendResult(interp, "Memory allocation error", (char *) NULL);
goto error;
}
if (EVP_PKEY_derive_init(pctx) < 1) {
Tcl_AppendResult(interp, "Initialize failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Initialize failed: ", GET_ERR_REASON(), (char *) NULL);
goto error;
}
/* Set config parameters */
if (EVP_PKEY_CTX_set1_pbe_pass(pctx, pass, (int) pass_len) < 1) {
Tcl_AppendResult(interp, "Set key failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Set key failed: ", GET_ERR_REASON(), (char *) NULL);
goto error;
}
if (EVP_PKEY_CTX_set1_scrypt_salt(pctx, salt, (int) salt_len) < 1) {
Tcl_AppendResult(interp, "Set salt failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Set salt failed: ", GET_ERR_REASON(), (char *) NULL);
goto error;
}
if (N != 0 && EVP_PKEY_CTX_set_scrypt_N(pctx, N) < 1) {
Tcl_AppendResult(interp, "Set cost parameter (N) failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Set cost parameter (N) failed: ", GET_ERR_REASON(), (char *) NULL);
goto error;
}
if (r != 0 && EVP_PKEY_CTX_set_scrypt_r(pctx, r) < 1) {
Tcl_AppendResult(interp, "Set lock size parameter (r) failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Set lock size parameter (r) failed: ", GET_ERR_REASON(), (char *) NULL);
goto error;
}
if (p != 0 && EVP_PKEY_CTX_set_scrypt_p(pctx, p) < 1) {
Tcl_AppendResult(interp, "Set Parallelization parameter (p) failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Set Parallelization parameter (p) failed: ", GET_ERR_REASON(), (char *) NULL);
goto error;
}
if (maxmem != 0 && EVP_PKEY_CTX_set_scrypt_maxmem_bytes(pctx, maxmem) < 1) {
Tcl_AppendResult(interp, "Set max memory failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Set max memory failed: ", GET_ERR_REASON(), (char *) NULL);
goto error;
}
/* Get buffer */
resultObj = Tcl_NewObj();
if ((out = Tcl_SetByteArrayLength(resultObj, (Tcl_Size) dk_len)) == NULL) {
Tcl_AppendResult(interp, "Memory allocation error", (char *) NULL);
goto error;
}
out_len = (size_t) dk_len;
/* Derive key */
if (EVP_PKEY_derive(pctx, out, &out_len) > 0) {
/* Shrink buffer to actual size */
Tcl_SetByteArrayLength(resultObj, (Tcl_Size) out_len);
Tcl_SetObjResult(interp, resultObj);
goto done;
} else {
Tcl_AppendResult(interp, "Key derivation failed: ", REASON(), (char *) NULL);
Tcl_AppendResult(interp, "Key derivation failed: ", GET_ERR_REASON(), (char *) NULL);
Tcl_DecrRefCount(resultObj);
}
error:
res = TCL_ERROR;
done:
|
| ︙ | | |