Index: Makefile.in ================================================================== --- Makefile.in +++ Makefile.in @@ -7,10 +7,11 @@ LIBS = @LIBS@ PACKAGE_VERSION = @PACKAGE_VERSION@ prefix = @prefix@ exec_prefix = @exec_prefix@ libdir = @libdir@ +genericdir = @srcdir@/generic TCL_PACKAGE_PATH = @TCL_PACKAGE_PATH@ PACKAGE_INSTALL_DIR = $(TCL_PACKAGE_PATH)/tcltls$(PACKAGE_VERSION) INSTALL = @INSTALL@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_DATA = @INSTALL_DATA@ @@ -31,21 +32,21 @@ static-@EXTENSION_TARGET@: tls.o tlsBIO.o tlsIO.o tlsX509.o Makefile $(AR) rcu static-@EXTENSION_TARGET@ tls.o tlsBIO.o tlsIO.o tlsX509.o -$(RANLIB) static-@EXTENSION_TARGET@ # Dependencies for all our targets -tls.o: @srcdir@/tls.c @srcdir@/tlsInt.h @srcdir@/tclOpts.h tls.tcl.h dh_params.h Makefile - $(CC) $(CPPFLAGS) $(CFLAGS) -o tls.o -c @srcdir@/tls.c - -tlsBIO.o: @srcdir@/tlsBIO.c @srcdir@/tlsInt.h Makefile - $(CC) $(CPPFLAGS) $(CFLAGS) -o tlsBIO.o -c @srcdir@/tlsBIO.c - -tlsIO.o: @srcdir@/tlsIO.c @srcdir@/tlsInt.h Makefile - $(CC) $(CPPFLAGS) $(CFLAGS) -o tlsIO.o -c @srcdir@/tlsIO.c - -tlsX509.o: @srcdir@/tlsX509.c @srcdir@/tlsInt.h Makefile - $(CC) $(CPPFLAGS) $(CFLAGS) -o tlsX509.o -c @srcdir@/tlsX509.c +tls.o: $(genericdir)/tls.c $(genericdir)/tlsInt.h $(genericdir)/tclOpts.h tls.tcl.h dh_params.h Makefile + $(CC) $(CPPFLAGS) $(CFLAGS) -o tls.o -c $(genericdir)/tls.c + +tlsBIO.o: $(genericdir)/tlsBIO.c $(genericdir)/tlsInt.h Makefile + $(CC) $(CPPFLAGS) $(CFLAGS) -o tlsBIO.o -c $(genericdir)/tlsBIO.c + +tlsIO.o: $(genericdir)/tlsIO.c $(genericdir)/tlsInt.h Makefile + $(CC) $(CPPFLAGS) $(CFLAGS) -o tlsIO.o -c $(genericdir)/tlsIO.c + +tlsX509.o: $(genericdir)/tlsX509.c $(genericdir)/tlsInt.h Makefile + $(CC) $(CPPFLAGS) $(CFLAGS) -o tlsX509.o -c $(genericdir)/tlsX509.c # Create a C-source-ified version of the script resources # for TclTLS so that we only need a single file to enable # this extension tls.tcl.h: @srcdir@/tls.tcl Makefile ADDED generic/tclOpts.h Index: generic/tclOpts.h ================================================================== --- /dev/null +++ generic/tclOpts.h @@ -0,0 +1,58 @@ +/* + * Copyright (C) 1997-2000 Matt Newman + * + * Stylized option processing - requires consitent + * external vars: opt, idx, objc, objv + */ +#ifndef _TCL_OPTS_H +#define _TCL_OPTS_H + +#define OPT_PROLOG(option) \ + if (strcmp(opt, (option)) == 0) { \ + if (++idx >= objc) { \ + Tcl_AppendResult(interp, \ + "no argument given for ", \ + (option), " option", \ + (char *) NULL); \ + return TCL_ERROR; \ + } +#define OPT_POSTLOG() \ + continue; \ + } +#define OPTOBJ(option, var) \ + OPT_PROLOG(option) \ + var = objv[idx]; \ + OPT_POSTLOG() + +#define OPTSTR(option, var) \ + OPT_PROLOG(option) \ + var = Tcl_GetString(objv[idx]);\ + OPT_POSTLOG() + +#define OPTINT(option, var) \ + OPT_PROLOG(option) \ + if (Tcl_GetIntFromObj(interp, objv[idx], \ + &(var)) != TCL_OK) { \ + return TCL_ERROR; \ + } \ + OPT_POSTLOG() + +#define OPTBOOL(option, var) \ + OPT_PROLOG(option) \ + if (Tcl_GetBooleanFromObj(interp, objv[idx],\ + &(var)) != TCL_OK) { \ + return TCL_ERROR; \ + } \ + OPT_POSTLOG() + +#define OPTBYTE(option, var, lvar) \ + OPT_PROLOG(option) \ + var = Tcl_GetByteArrayFromObj(objv[idx], &(lvar));\ + OPT_POSTLOG() + +#define OPTBAD(type, list) \ + Tcl_AppendResult(interp, "bad ", (type), \ + " \"", opt, "\": must be ", \ + (list), (char *) NULL) + +#endif /* _TCL_OPTS_H */ ADDED generic/tls.c Index: generic/tls.c ================================================================== --- /dev/null +++ generic/tls.c @@ -0,0 +1,1947 @@ +/* + * Copyright (C) 1997-1999 Matt Newman + * some modifications: + * Copyright (C) 2000 Ajuba Solutions + * Copyright (C) 2002 ActiveState Corporation + * Copyright (C) 2004 Starfish Systems + * + * TLS (aka SSL) Channel - can be layered on any bi-directional + * Tcl_Channel (Note: Requires Trf Core Patch) + * + * This was built (almost) from scratch based upon observation of + * OpenSSL 0.9.2B + * + * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for + * providing the Tcl_ReplaceChannel mechanism and working closely with me + * to enhance it to support full fileevent semantics. + * + * Also work done by the follow people provided the impetus to do this "right": + * tclSSL (Colin McCormack, Shared Technology) + * SSLtcl (Peter Antman) + * + */ + +#include "tlsInt.h" +#include "tclOpts.h" +#include + +/* + * External functions + */ + +/* + * Forward declarations + */ + +#define F2N( key, dsp) \ + (((key) == NULL) ? (char *) NULL : \ + Tcl_TranslateFileName(interp, (key), (dsp))) +#define REASON() ERR_reason_error_string(ERR_get_error()) + +static void InfoCallback(const SSL *ssl, int where, int ret); + +static Tcl_ObjCmdProc CiphersObjCmd; +static Tcl_ObjCmdProc HandshakeObjCmd; +static Tcl_ObjCmdProc ImportObjCmd; +static Tcl_ObjCmdProc StatusObjCmd; +static Tcl_ObjCmdProc VersionObjCmd; +static Tcl_ObjCmdProc MiscObjCmd; +static Tcl_ObjCmdProc UnimportObjCmd; + +static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key, + char *certfile, unsigned char *key_asn1, unsigned char *cert_asn1, + int key_asn1_len, int cert_asn1_len, char *CAdir, char *CAfile, + char *ciphers, char *DHparams); + +static int TlsLibInit(int uninitialize); + +#define TLS_PROTO_SSL2 0x01 +#define TLS_PROTO_SSL3 0x02 +#define TLS_PROTO_TLS1 0x04 +#define TLS_PROTO_TLS1_1 0x08 +#define TLS_PROTO_TLS1_2 0x10 +#define TLS_PROTO_TLS1_3 0x20 +#define ENABLED(flag, mask) (((flag) & (mask)) == (mask)) + +/* + * Static data structures + */ + +#ifndef OPENSSL_NO_DH +#include "dh_params.h" +#endif + +/* + * We lose the tcl password callback when we use the RSA BSAFE SSL-C 1.1.2 + * libraries instead of the current OpenSSL libraries. + */ + +#ifdef BSAFE +#define PRE_OPENSSL_0_9_4 1 +#endif + +/* + * Pre OpenSSL 0.9.4 Compat + */ + +#ifndef STACK_OF +#define STACK_OF(x) STACK +#define sk_SSL_CIPHER_num(sk) sk_num((sk)) +#define sk_SSL_CIPHER_value( sk, index) (SSL_CIPHER*)sk_value((sk), (index)) +#endif + +/* + * Thread-Safe TLS Code + */ + +#ifdef TCL_THREADS +#define OPENSSL_THREAD_DEFINES +#include + +#ifdef OPENSSL_THREADS +#include + +/* + * Threaded operation requires locking callbacks + * Based from /crypto/cryptlib.c of OpenSSL and NSOpenSSL. + */ + +static Tcl_Mutex *locks = NULL; +static int locksCount = 0; +static Tcl_Mutex init_mx; + +void CryptoThreadLockCallback(int mode, int n, const char *file, int line) { + + if (mode & CRYPTO_LOCK) { + /* This debugging is turned off by default -- it's too noisy. */ + /* dprintf("Called to lock (n=%i of %i)", n, locksCount); */ + Tcl_MutexLock(&locks[n]); + } else { + /* dprintf("Called to unlock (n=%i of %i)", n, locksCount); */ + Tcl_MutexUnlock(&locks[n]); + } + + /* dprintf("Returning"); */ + + return; + file = file; + line = line; +} + +unsigned long CryptoThreadIdCallback(void) { + unsigned long ret; + + dprintf("Called"); + + ret = (unsigned long) Tcl_GetCurrentThread(); + + dprintf("Returning %lu", ret); + + return(ret); +} +#endif /* OPENSSL_THREADS */ +#endif /* TCL_THREADS */ + + +/* + *------------------------------------------------------------------- + * + * InfoCallback -- + * + * monitors SSL connection process + * + * Results: + * None + * + * Side effects: + * Calls callback (if defined) + *------------------------------------------------------------------- + */ +static void +InfoCallback(const SSL *ssl, int where, int ret) +{ + State *statePtr = (State*)SSL_get_app_data((SSL *)ssl); + Tcl_Obj *cmdPtr; + const char *major, *minor; + + dprintf("Called"); + + if (statePtr->callback == (Tcl_Obj*)NULL) + return; + + cmdPtr = Tcl_DuplicateObj(statePtr->callback); + +#if 0 + if (where & SSL_CB_ALERT) { + sev = SSL_alert_type_string_long(ret); + if (strcmp( sev, "fatal")==0) { /* Map to error */ + Tls_Error(statePtr, SSL_ERROR(ssl, 0)); + return; + } + } +#endif + if (where & SSL_CB_HANDSHAKE_START) { + major = "handshake"; + minor = "start"; + } else if (where & SSL_CB_HANDSHAKE_DONE) { + major = "handshake"; + minor = "done"; + } else { + if (where & SSL_CB_ALERT) major = "alert"; + else if (where & SSL_ST_CONNECT) major = "connect"; + else if (where & SSL_ST_ACCEPT) major = "accept"; + else major = "unknown"; + + if (where & SSL_CB_READ) minor = "read"; + else if (where & SSL_CB_WRITE) minor = "write"; + else if (where & SSL_CB_LOOP) minor = "loop"; + else if (where & SSL_CB_EXIT) minor = "exit"; + else minor = "unknown"; + } + + Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, + Tcl_NewStringObj( "info", -1)); + + Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, + Tcl_NewStringObj( Tcl_GetChannelName(statePtr->self), -1) ); + + Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, + Tcl_NewStringObj( major, -1) ); + + Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, + Tcl_NewStringObj( minor, -1) ); + + if (where & (SSL_CB_LOOP|SSL_CB_EXIT)) { + Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, + Tcl_NewStringObj( SSL_state_string_long(ssl), -1) ); + } else if (where & SSL_CB_ALERT) { + const char *cp = (char *) SSL_alert_desc_string_long(ret); + + Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, + Tcl_NewStringObj( cp, -1) ); + } else { + Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, + Tcl_NewStringObj( SSL_state_string_long(ssl), -1) ); + } + Tcl_Preserve( (ClientData) statePtr->interp); + Tcl_Preserve( (ClientData) statePtr); + + Tcl_IncrRefCount( cmdPtr); + (void) Tcl_EvalObjEx(statePtr->interp, cmdPtr, TCL_EVAL_GLOBAL); + Tcl_DecrRefCount( cmdPtr); + + Tcl_Release( (ClientData) statePtr); + Tcl_Release( (ClientData) statePtr->interp); + +} + +/* + *------------------------------------------------------------------- + * + * VerifyCallback -- + * + * Monitors SSL certificate validation process. + * This is called whenever a certificate is inspected + * or decided invalid. + * + * Results: + * A callback bound to the socket may return one of: + * 0 - the certificate is deemed invalid + * 1 - the certificate is deemed valid + * empty string - no change to certificate validation + * + * Side effects: + * The err field of the currently operative State is set + * to a string describing the SSL negotiation failure reason + *------------------------------------------------------------------- + */ +static int +VerifyCallback(int ok, X509_STORE_CTX *ctx) +{ + Tcl_Obj *cmdPtr, *result; + char *errStr, *string; + Tcl_Size length; + SSL *ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); + X509 *cert = X509_STORE_CTX_get_current_cert(ctx); + State *statePtr = (State*)SSL_get_app_data(ssl); + int depth = X509_STORE_CTX_get_error_depth(ctx); + int err = X509_STORE_CTX_get_error(ctx); + + dprintf("Verify: %d", ok); + + if (!ok) { + errStr = (char*)X509_verify_cert_error_string(err); + } else { + errStr = (char *)0; + } + + if (statePtr->callback == (Tcl_Obj*)NULL) { + if (statePtr->vflags & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { + return ok; + } else { + return 1; + } + } + cmdPtr = Tcl_DuplicateObj(statePtr->callback); + + Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, + Tcl_NewStringObj( "verify", -1)); + + Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, + Tcl_NewStringObj( Tcl_GetChannelName(statePtr->self), -1) ); + + Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, + Tcl_NewIntObj( depth) ); + + Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, + Tls_NewX509Obj( statePtr->interp, cert) ); + + Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, + Tcl_NewIntObj( ok) ); + + Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, + Tcl_NewStringObj( errStr ? errStr : "", -1) ); + + Tcl_Preserve( (ClientData) statePtr->interp); + Tcl_Preserve( (ClientData) statePtr); + + statePtr->flags |= TLS_TCL_CALLBACK; + + Tcl_IncrRefCount( cmdPtr); + if (Tcl_EvalObjEx(statePtr->interp, cmdPtr, TCL_EVAL_GLOBAL) != TCL_OK) { + /* It got an error - reject the certificate. */ + Tcl_BackgroundError( statePtr->interp); + ok = 0; + } else { + result = Tcl_GetObjResult(statePtr->interp); + string = Tcl_GetStringFromObj(result, &length); + /* An empty result leaves verification unchanged. */ + if (string != NULL && length > 0) { + if (Tcl_GetIntFromObj(statePtr->interp, result, &ok) != TCL_OK) { + Tcl_BackgroundError(statePtr->interp); + ok = 0; + } + } + } + Tcl_DecrRefCount( cmdPtr); + + statePtr->flags &= ~(TLS_TCL_CALLBACK); + + Tcl_Release( (ClientData) statePtr); + Tcl_Release( (ClientData) statePtr->interp); + + return(ok); /* By default, leave verification unchanged. */ +} + +/* + *------------------------------------------------------------------- + * + * Tls_Error -- + * + * Calls callback with $fd and $msg - so the callback can decide + * what to do with errors. + * + * Side effects: + * The err field of the currently operative State is set + * to a string describing the SSL negotiation failure reason + *------------------------------------------------------------------- + */ +void +Tls_Error(State *statePtr, char *msg) +{ + Tcl_Obj *cmdPtr; + + dprintf("Called"); + + if (msg && *msg) { + Tcl_SetErrorCode(statePtr->interp, "SSL", msg, (char *)NULL); + } else { + msg = Tcl_GetString(Tcl_GetObjResult(statePtr->interp)); + } + statePtr->err = msg; + + if (statePtr->callback == (Tcl_Obj*)NULL) { + char buf[BUFSIZ]; + sprintf(buf, "SSL channel \"%s\": error: %s", + Tcl_GetChannelName(statePtr->self), msg); + Tcl_SetResult( statePtr->interp, buf, TCL_VOLATILE); + Tcl_BackgroundError( statePtr->interp); + return; + } + cmdPtr = Tcl_DuplicateObj(statePtr->callback); + + Tcl_ListObjAppendElement(statePtr->interp, cmdPtr, + Tcl_NewStringObj("error", -1)); + + Tcl_ListObjAppendElement(statePtr->interp, cmdPtr, + Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); + + Tcl_ListObjAppendElement(statePtr->interp, cmdPtr, + Tcl_NewStringObj(msg, -1)); + + Tcl_Preserve((ClientData) statePtr->interp); + Tcl_Preserve((ClientData) statePtr); + + Tcl_IncrRefCount(cmdPtr); + if (Tcl_EvalObjEx(statePtr->interp, cmdPtr, TCL_EVAL_GLOBAL) != TCL_OK) { + Tcl_BackgroundError(statePtr->interp); + } + Tcl_DecrRefCount(cmdPtr); + + Tcl_Release((ClientData) statePtr); + Tcl_Release((ClientData) statePtr->interp); +} + +/* + *------------------------------------------------------------------- + * + * PasswordCallback -- + * + * Called when a password is needed to unpack RSA and PEM keys. + * Evals any bound password script and returns the result as + * the password string. + *------------------------------------------------------------------- + */ +#ifdef PRE_OPENSSL_0_9_4 +/* + * No way to handle user-data therefore no way without a global + * variable to access the Tcl interpreter. +*/ +static int +PasswordCallback(char *buf, int size, int verify) +{ + return -1; + buf = buf; + size = size; + verify = verify; +} +#else +static int +PasswordCallback(char *buf, int size, int verify, void *udata) +{ + State *statePtr = (State *) udata; + Tcl_Interp *interp = statePtr->interp; + Tcl_Obj *cmdPtr; + int result; + + dprintf("Called"); + + if (statePtr->password == NULL) { + if (Tcl_EvalEx(interp, "tls::password", -1, TCL_EVAL_GLOBAL) + == TCL_OK) { + char *ret = (char *) Tcl_GetStringResult(interp); + strncpy(buf, ret, (size_t) size); + return (int)strlen(ret); + } else { + return -1; + } + } + + cmdPtr = Tcl_DuplicateObj(statePtr->password); + + Tcl_Preserve((ClientData) statePtr->interp); + Tcl_Preserve((ClientData) statePtr); + + Tcl_IncrRefCount(cmdPtr); + result = Tcl_EvalObjEx(interp, cmdPtr, TCL_EVAL_GLOBAL); + if (result != TCL_OK) { + Tcl_BackgroundError(statePtr->interp); + } + Tcl_DecrRefCount(cmdPtr); + + Tcl_Release((ClientData) statePtr); + Tcl_Release((ClientData) statePtr->interp); + + if (result == TCL_OK) { + char *ret = (char *) Tcl_GetStringResult(interp); + strncpy(buf, ret, (size_t) size); + return (int)strlen(ret); + } else { + return -1; + } + verify = verify; +} +#endif + +/* + *------------------------------------------------------------------- + * + * CiphersObjCmd -- list available ciphers + * + * This procedure is invoked to process the "tls::ciphers" command + * to list available ciphers, based upon protocol selected. + * + * Results: + * A standard Tcl result list. + * + * Side effects: + * constructs and destroys SSL context (CTX) + * + *------------------------------------------------------------------- + */ +static int +CiphersObjCmd( + TCL_UNUSED(void *), + Tcl_Interp *interp, + int objc, + Tcl_Obj *const objv[]) +{ + static const char *protocols[] = { + "ssl2", "ssl3", "tls1", "tls1.1", "tls1.2", "tls1.3", NULL + }; + enum protocol { + TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_TLS1_3, TLS_NONE + }; + Tcl_Obj *objPtr; + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; + STACK_OF(SSL_CIPHER) *sk; + char *cp, buf[BUFSIZ]; + int index, verbose = 0; + + dprintf("Called"); + + if (objc < 2 || objc > 3) { + Tcl_WrongNumArgs(interp, 1, objv, "protocol ?verbose?"); + return TCL_ERROR; + } + if (Tcl_GetIndexFromObj( interp, objv[1], protocols, "protocol", 0, + &index) != TCL_OK) { + return TCL_ERROR; + } + if (objc > 2 && Tcl_GetBooleanFromObj( interp, objv[2], + &verbose) != TCL_OK) { + return TCL_ERROR; + } + switch ((enum protocol)index) { + case TLS_SSL2: +#if defined(NO_SSL2) + Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); + return TCL_ERROR; +#else + ctx = SSL_CTX_new(SSLv2_method()); break; +#endif + case TLS_SSL3: +#if defined(NO_SSL3) + Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); + return TCL_ERROR; +#else + ctx = SSL_CTX_new(SSLv3_method()); break; +#endif + case TLS_TLS1: +#if defined(NO_TLS1) + Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); + return TCL_ERROR; +#else + ctx = SSL_CTX_new(TLSv1_method()); break; +#endif + case TLS_TLS1_1: +#if defined(NO_TLS1_1) + Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); + return TCL_ERROR; +#else + ctx = SSL_CTX_new(TLSv1_1_method()); break; +#endif + case TLS_TLS1_2: +#if defined(NO_TLS1_2) + Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); + return TCL_ERROR; +#else + ctx = SSL_CTX_new(TLSv1_2_method()); break; +#endif + case TLS_TLS1_3: +#if defined(NO_TLS1_3) + Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); + return TCL_ERROR; +#else + ctx = SSL_CTX_new(TLS_method()); break; + SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION); + SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION); +#endif + default: + break; + } + if (ctx == NULL) { + Tcl_AppendResult(interp, REASON(), (char *) NULL); + return TCL_ERROR; + } + ssl = SSL_new(ctx); + if (ssl == NULL) { + Tcl_AppendResult(interp, REASON(), (char *) NULL); + SSL_CTX_free(ctx); + return TCL_ERROR; + } + objPtr = Tcl_NewListObj( 0, NULL); + + if (!verbose) { + for (index = 0; ; index++) { + cp = (char*)SSL_get_cipher_list( ssl, index); + if (cp == NULL) break; + Tcl_ListObjAppendElement( interp, objPtr, + Tcl_NewStringObj( cp, -1) ); + } + } else { + sk = SSL_get_ciphers(ssl); + + for (index = 0; index < sk_SSL_CIPHER_num(sk); index++) { + size_t i; + SSL_CIPHER_description( sk_SSL_CIPHER_value( sk, index), + buf, sizeof(buf)); + for (i = strlen(buf) - 1; i ; i--) { + if (buf[i] == ' ' || buf[i] == '\n' || + buf[i] == '\r' || buf[i] == '\t') { + buf[i] = '\0'; + } else { + break; + } + } + Tcl_ListObjAppendElement( interp, objPtr, + Tcl_NewStringObj( buf, -1) ); + } + } + SSL_free(ssl); + SSL_CTX_free(ctx); + + Tcl_SetObjResult( interp, objPtr); + return TCL_OK; +} + +/* + *------------------------------------------------------------------- + * + * HandshakeObjCmd -- + * + * This command is used to verify whether the handshake is complete + * or not. + * + * Results: + * A standard Tcl result. 1 means handshake complete, 0 means pending. + * + * Side effects: + * May force SSL negotiation to take place. + * + *------------------------------------------------------------------- + */ + +static int HandshakeObjCmd( + TCL_UNUSED(void *), + Tcl_Interp *interp, + int objc, + Tcl_Obj *const objv[]) +{ + Tcl_Channel chan; /* The channel to set a mode on. */ + State *statePtr; /* client state for ssl socket */ + const char *errStr = NULL; + int ret = 1; + int err = 0; + + dprintf("Called"); + + if (objc != 2) { + Tcl_WrongNumArgs(interp, 1, objv, "channel"); + return(TCL_ERROR); + } + + chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL); + if (chan == (Tcl_Channel) NULL) { + return(TCL_ERROR); + } + + /* + * Make sure to operate on the topmost channel + */ + chan = Tcl_GetTopChannel(chan); + if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { + Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), "\": not a TLS channel", (char *)NULL); + return(TCL_ERROR); + } + statePtr = (State *)Tcl_GetChannelInstanceData(chan); + + dprintf("Calling Tls_WaitForConnect"); + ret = Tls_WaitForConnect(statePtr, &err, 1); + dprintf("Tls_WaitForConnect returned: %i", ret); + + if ( + ret < 0 && \ + ((statePtr->flags & TLS_TCL_ASYNC) && err == EAGAIN) + ) { + dprintf("Async set and err = EAGAIN"); + ret = 0; + } else if (ret < 0) { + errStr = statePtr->err; + Tcl_ResetResult(interp); + Tcl_SetErrno(err); + + if (!errStr || *errStr == 0) { + errStr = Tcl_PosixError(interp); + } + + Tcl_AppendResult(interp, "handshake failed: ", errStr, (char *) NULL); + dprintf("Returning TCL_ERROR with handshake failed: %s", errStr); + return(TCL_ERROR); + } else { + if (err != 0) { + dprintf("Got an error with a completed handshake: err = %i", err); + } + + ret = 1; + } + + dprintf("Returning TCL_OK with data \"%i\"", ret); + Tcl_SetObjResult(interp, Tcl_NewIntObj(ret)); + return(TCL_OK); +} + +/* + *------------------------------------------------------------------- + * + * ImportObjCmd -- + * + * This procedure is invoked to process the "ssl" command + * + * The ssl command pushes SSL over a (newly connected) tcp socket + * + * Results: + * A standard Tcl result. + * + * Side effects: + * May modify the behavior of an IO channel. + * + *------------------------------------------------------------------- + */ + +static int +ImportObjCmd( + TCL_UNUSED(void *), + Tcl_Interp *interp, + int objc, + Tcl_Obj *const objv[]) +{ + Tcl_Channel chan; /* The channel to set a mode on. */ + State *statePtr; /* client state for ssl socket */ + SSL_CTX *ctx = NULL; + Tcl_Obj *script = NULL; + Tcl_Obj *password = NULL; + Tcl_DString upperChannelTranslation, upperChannelBlocking, upperChannelEncoding, upperChannelEOFChar; + int idx; + Tcl_Size len; + int flags = TLS_TCL_INIT; + int server = 0; /* is connection incoming or outgoing? */ + char *keyfile = NULL; + char *certfile = NULL; + unsigned char *key = NULL; + Tcl_Size key_len = 0; + unsigned char *cert = NULL; + Tcl_Size cert_len = 0; + char *ciphers = NULL; + char *CAfile = NULL; + char *CAdir = NULL; + char *DHparams = NULL; + char *model = NULL; +#ifndef OPENSSL_NO_TLSEXT + char *servername = NULL; /* hostname for Server Name Indication */ +#endif + int ssl2 = 0, ssl3 = 0; + int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1; + int proto = 0; + int verify = 0, require = 0, request = 1; + + dprintf("Called"); + +#if defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_SSL3) && !defined(NO_SSL2) + ssl2 = 1; +#endif +#if defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_SSL2) && !defined(NO_SSL3) + ssl3 = 1; +#endif +#if defined(NO_TLS1) + tls1 = 0; +#endif +#if defined(NO_TLS1_1) + tls1_1 = 0; +#endif +#if defined(NO_TLS1_2) + tls1_2 = 0; +#endif +#if defined(NO_TLS1_3) + tls1_3 = 0; +#endif + + if (objc < 2) { + Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?"); + return TCL_ERROR; + } + + chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL); + if (chan == (Tcl_Channel) NULL) { + return TCL_ERROR; + } + + /* + * Make sure to operate on the topmost channel + */ + chan = Tcl_GetTopChannel(chan); + + for (idx = 2; idx < objc; idx++) { + char *opt = Tcl_GetString(objv[idx]); + + if (opt[0] != '-') + break; + + OPTSTR( "-cadir", CAdir); + OPTSTR( "-cafile", CAfile); + OPTSTR( "-certfile", certfile); + OPTSTR( "-cipher", ciphers); + OPTOBJ( "-command", script); + OPTSTR( "-dhparams", DHparams); + OPTSTR( "-keyfile", keyfile); + OPTSTR( "-model", model); + OPTOBJ( "-password", password); + OPTBOOL( "-require", require); + OPTBOOL( "-request", request); + OPTBOOL( "-server", server); +#ifndef OPENSSL_NO_TLSEXT + OPTSTR( "-servername", servername); +#endif + + OPTBOOL( "-ssl2", ssl2); + OPTBOOL( "-ssl3", ssl3); + OPTBOOL( "-tls1", tls1); + OPTBOOL( "-tls1.1", tls1_1); + OPTBOOL( "-tls1.2", tls1_2); + OPTBOOL( "-tls1.3", tls1_3) + OPTBYTE("-cert", cert, cert_len); + OPTBYTE("-key", key, key_len); + + OPTBAD( "option", "-cadir, -cafile, -cert, -certfile, -cipher, -command, -dhparams, -key, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, or tls1.3"); + + return TCL_ERROR; + } + if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER; + if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; + if (verify == 0) verify = SSL_VERIFY_NONE; + + proto |= (ssl2 ? TLS_PROTO_SSL2 : 0); + proto |= (ssl3 ? TLS_PROTO_SSL3 : 0); + proto |= (tls1 ? TLS_PROTO_TLS1 : 0); + proto |= (tls1_1 ? TLS_PROTO_TLS1_1 : 0); + proto |= (tls1_2 ? TLS_PROTO_TLS1_2 : 0); + proto |= (tls1_3 ? TLS_PROTO_TLS1_3 : 0); + + /* reset to NULL if blank string provided */ + if (cert && !*cert) cert = NULL; + if (key && !*key) key = NULL; + if (certfile && !*certfile) certfile = NULL; + if (keyfile && !*keyfile) keyfile = NULL; + if (ciphers && !*ciphers) ciphers = NULL; + if (CAfile && !*CAfile) CAfile = NULL; + if (CAdir && !*CAdir) CAdir = NULL; + if (DHparams && !*DHparams) DHparams = NULL; + + /* new SSL state */ + statePtr = (State *) ckalloc((unsigned) sizeof(State)); + memset(statePtr, 0, sizeof(State)); + + statePtr->flags = flags; + statePtr->interp = interp; + statePtr->vflags = verify; + statePtr->err = ""; + + /* allocate script */ + if (script) { + (void) Tcl_GetStringFromObj(script, &len); + if (len) { + statePtr->callback = script; + Tcl_IncrRefCount(statePtr->callback); + } + } + + /* allocate password */ + if (password) { + (void) Tcl_GetStringFromObj(password, &len); + if (len) { + statePtr->password = password; + Tcl_IncrRefCount(statePtr->password); + } + } + + if (model != NULL) { + int mode; + /* Get the "model" context */ + chan = Tcl_GetChannel(interp, model, &mode); + if (chan == (Tcl_Channel) NULL) { + Tls_Free((void *)statePtr); + return TCL_ERROR; + } + + /* + * Make sure to operate on the topmost channel + */ + chan = Tcl_GetTopChannel(chan); + if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { + Tcl_AppendResult(interp, "bad channel \"", + Tcl_GetChannelName(chan), "\": not a TLS channel", (char *)NULL); + Tls_Free((void *)statePtr); + return TCL_ERROR; + } + ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx; + } else { + if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, + cert, key_len, cert_len, CAdir, CAfile, ciphers, + DHparams)) == (SSL_CTX*)0) { + Tls_Free((void *)statePtr); + return TCL_ERROR; + } + } + + statePtr->ctx = ctx; + + /* + * We need to make sure that the channel works in binary (for the + * encryption not to get goofed up). + * We only want to adjust the buffering in pre-v2 channels, where + * each channel in the stack maintained its own buffers. + */ + Tcl_DStringInit(&upperChannelTranslation); + Tcl_DStringInit(&upperChannelBlocking); + Tcl_DStringInit(&upperChannelEOFChar); + Tcl_DStringInit(&upperChannelEncoding); + Tcl_GetChannelOption(interp, chan, "-eofchar", &upperChannelEOFChar); + Tcl_GetChannelOption(interp, chan, "-encoding", &upperChannelEncoding); + Tcl_GetChannelOption(interp, chan, "-translation", &upperChannelTranslation); + Tcl_GetChannelOption(interp, chan, "-blocking", &upperChannelBlocking); + Tcl_SetChannelOption(interp, chan, "-translation", "binary"); + Tcl_SetChannelOption(interp, chan, "-blocking", "true"); + dprintf("Consuming Tcl channel %s", Tcl_GetChannelName(chan)); + statePtr->self = Tcl_StackChannel(interp, Tls_ChannelType(), statePtr, (TCL_READABLE | TCL_WRITABLE), chan); + dprintf("Created channel named %s", Tcl_GetChannelName(statePtr->self)); + if (statePtr->self == (Tcl_Channel) NULL) { + /* + * No use of Tcl_EventuallyFree because no possible Tcl_Preserve. + */ + Tls_Free((void *)statePtr); + return TCL_ERROR; + } + + Tcl_SetChannelOption(interp, statePtr->self, "-translation", Tcl_DStringValue(&upperChannelTranslation)); + Tcl_SetChannelOption(interp, statePtr->self, "-encoding", Tcl_DStringValue(&upperChannelEncoding)); + Tcl_SetChannelOption(interp, statePtr->self, "-eofchar", Tcl_DStringValue(&upperChannelEOFChar)); + Tcl_SetChannelOption(interp, statePtr->self, "-blocking", Tcl_DStringValue(&upperChannelBlocking)); + + /* + * SSL Initialization + */ + + statePtr->ssl = SSL_new(statePtr->ctx); + if (!statePtr->ssl) { + /* SSL library error */ + Tcl_AppendResult(interp, "couldn't construct ssl session: ", REASON(), + (char *) NULL); + Tls_Free((void *)statePtr); + return TCL_ERROR; + } + +#ifndef OPENSSL_NO_TLSEXT + if (servername) { + if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) { + Tcl_AppendResult(interp, "setting TLS host name extension failed", + (char *) NULL); + Tls_Free((void *)statePtr); + return TCL_ERROR; + } + } +#endif + + /* + * SSL Callbacks + */ + + SSL_set_app_data(statePtr->ssl, (void *)statePtr); /* point back to us */ + + SSL_set_verify(statePtr->ssl, verify, VerifyCallback); + + SSL_CTX_set_info_callback(statePtr->ctx, InfoCallback); + + /* Create Tcl_Channel BIO Handler */ + statePtr->p_bio = BIO_new_tcl(statePtr, BIO_NOCLOSE); + statePtr->bio = BIO_new(BIO_f_ssl()); + + if (server) { + statePtr->flags |= TLS_TCL_SERVER; + SSL_set_accept_state(statePtr->ssl); + } else { + SSL_set_connect_state(statePtr->ssl); + } + SSL_set_bio(statePtr->ssl, statePtr->p_bio, statePtr->p_bio); + BIO_set_ssl(statePtr->bio, statePtr->ssl, BIO_NOCLOSE); + + /* + * End of SSL Init + */ + dprintf("Returning %s", Tcl_GetChannelName(statePtr->self)); + Tcl_SetResult(interp, (char *) Tcl_GetChannelName(statePtr->self), + TCL_VOLATILE); + return TCL_OK; +} + +/* + *------------------------------------------------------------------- + * + * UnimportObjCmd -- + * + * This procedure is invoked to remove the topmost channel filter. + * + * Results: + * A standard Tcl result. + * + * Side effects: + * May modify the behavior of an IO channel. + * + *------------------------------------------------------------------- + */ + +static int +UnimportObjCmd( + TCL_UNUSED(void *), + Tcl_Interp *interp, + int objc, + Tcl_Obj *const objv[]) +{ + Tcl_Channel chan; /* The channel to set a mode on. */ + + dprintf("Called"); + + if (objc != 2) { + Tcl_WrongNumArgs(interp, 1, objv, "channel"); + return TCL_ERROR; + } + + chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL); + if (chan == (Tcl_Channel) NULL) { + return TCL_ERROR; + } + + /* + * Make sure to operate on the topmost channel + */ + chan = Tcl_GetTopChannel(chan); + + if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { + Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), + "\": not a TLS channel", (char *)NULL); + return TCL_ERROR; + } + + if (Tcl_UnstackChannel(interp, chan) == TCL_ERROR) { + return TCL_ERROR; + } + + return TCL_OK; +} + +/* + *------------------------------------------------------------------- + * + * CTX_Init -- construct a SSL_CTX instance + * + * Results: + * A valid SSL_CTX instance or NULL. + * + * Side effects: + * constructs SSL context (CTX) + * + *------------------------------------------------------------------- + */ + +static SSL_CTX * +CTX_Init( + State *statePtr, + TCL_UNUSED(int) /* isServer */, + int proto, + char *keyfile, + char *certfile, + unsigned char *key, + unsigned char *cert, + int key_len, + int cert_len, + char *CAdir, + char *CAfile, + char *ciphers, + char *DHparams) +{ + Tcl_Interp *interp = statePtr->interp; + SSL_CTX *ctx = NULL; + Tcl_DString ds; + Tcl_DString ds1; + int off = 0; + int load_private_key; + const SSL_METHOD *method; + + dprintf("Called"); + + if (!proto) { + Tcl_AppendResult(interp, "no valid protocol selected", (char *)NULL); + return (SSL_CTX *)0; + } + + /* create SSL context */ +#if defined(NO_SSL2) + if (ENABLED(proto, TLS_PROTO_SSL2)) { + Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); + return (SSL_CTX *)0; + } +#endif +#if defined(NO_SSL3) + if (ENABLED(proto, TLS_PROTO_SSL3)) { + Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); + return (SSL_CTX *)0; + } +#endif +#if defined(NO_TLS1) + if (ENABLED(proto, TLS_PROTO_TLS1)) { + Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); + return (SSL_CTX *)0; + } +#endif +#if defined(NO_TLS1_1) + if (ENABLED(proto, TLS_PROTO_TLS1_1)) { + Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); + return (SSL_CTX *)0; + } +#endif +#if defined(NO_TLS1_2) + if (ENABLED(proto, TLS_PROTO_TLS1_2)) { + Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); + return (SSL_CTX *)0; + } +#endif +#if defined(NO_TLS1_3) + if (ENABLED(proto, TLS_PROTO_TLS1_3)) { + Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); + return (SSL_CTX *)0; + } +#endif + + switch (proto) { +#if !defined(NO_SSL2) + case TLS_PROTO_SSL2: + method = SSLv2_method (); + break; +#endif +#if !defined(NO_SSL3) + case TLS_PROTO_SSL3: + method = SSLv3_method (); + break; +#endif +#if !defined(NO_TLS1) + case TLS_PROTO_TLS1: + method = TLSv1_method (); + break; +#endif +#if !defined(NO_TLS1_1) + case TLS_PROTO_TLS1_1: + method = TLSv1_1_method (); + break; +#endif +#if !defined(NO_TLS1_2) + case TLS_PROTO_TLS1_2: + method = TLSv1_2_method (); + break; +#endif +#if !defined(NO_TLS1_3) + case TLS_PROTO_TLS1_3: + /* + * The version range is constrained below, + * after the context is created. Use the + * generic method here. + */ + method = TLS_method (); + break; +#endif + default: +#ifdef HAVE_TLS_METHOD + method = TLS_method (); +#else + method = SSLv23_method (); +#endif +#if !defined(NO_SSL2) + off |= (ENABLED(proto, TLS_PROTO_SSL2) ? 0 : SSL_OP_NO_SSLv2); +#endif +#if !defined(NO_SSL3) + off |= (ENABLED(proto, TLS_PROTO_SSL3) ? 0 : SSL_OP_NO_SSLv3); +#endif +#if !defined(NO_TLS1) + off |= (ENABLED(proto, TLS_PROTO_TLS1) ? 0 : SSL_OP_NO_TLSv1); +#endif +#if !defined(NO_TLS1_1) + off |= (ENABLED(proto, TLS_PROTO_TLS1_1) ? 0 : SSL_OP_NO_TLSv1_1); +#endif +#if !defined(NO_TLS1_2) + off |= (ENABLED(proto, TLS_PROTO_TLS1_2) ? 0 : SSL_OP_NO_TLSv1_2); +#endif +#if !defined(NO_TLS1_3) + off |= (ENABLED(proto, TLS_PROTO_TLS1_3) ? 0 : SSL_OP_NO_TLSv1_3); +#endif + break; + } + + ctx = SSL_CTX_new (method); + + if (!ctx) { + return(NULL); + } + +#if !defined(NO_TLS1_3) + if (proto == TLS_PROTO_TLS1_3) { + SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION); + SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION); + } +#endif + + SSL_CTX_set_app_data( ctx, (void*)interp); /* remember the interpreter */ + SSL_CTX_set_options( ctx, SSL_OP_ALL); /* all SSL bug workarounds */ + SSL_CTX_set_options( ctx, off); /* all SSL bug workarounds */ + SSL_CTX_sess_set_cache_size( ctx, 128); + + if (ciphers != NULL) + SSL_CTX_set_cipher_list(ctx, ciphers); + + /* set some callbacks */ + SSL_CTX_set_default_passwd_cb(ctx, PasswordCallback); + +#ifndef BSAFE + SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)statePtr); +#endif + + /* read a Diffie-Hellman parameters file, or use the built-in one */ +#ifdef OPENSSL_NO_DH + if (DHparams != NULL) { + Tcl_AppendResult(interp, + "DH parameter support not available", (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } +#else + { + DH* dh; + if (DHparams != NULL) { + BIO *bio; + Tcl_DStringInit(&ds); + bio = BIO_new_file(F2N(DHparams, &ds), "r"); + if (!bio) { + Tcl_DStringFree(&ds); + Tcl_AppendResult(interp, + "Could not find DH parameters file", (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } + + dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); + BIO_free(bio); + Tcl_DStringFree(&ds); + if (!dh) { + Tcl_AppendResult(interp, + "Could not read DH parameters from file", (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } + } else { + dh = get_dhParams(); + } + SSL_CTX_set_tmp_dh(ctx, dh); + DH_free(dh); + } +#endif + + /* set our certificate */ + load_private_key = 0; + if (certfile != NULL) { + load_private_key = 1; + + Tcl_DStringInit(&ds); + + if (SSL_CTX_use_certificate_file(ctx, F2N( certfile, &ds), + SSL_FILETYPE_PEM) <= 0) { + Tcl_DStringFree(&ds); + Tcl_AppendResult(interp, + "unable to set certificate file ", certfile, ": ", + REASON(), (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } + } else if (cert != NULL) { + load_private_key = 1; + if (SSL_CTX_use_certificate_ASN1(ctx, cert_len, cert) <= 0) { + Tcl_DStringFree(&ds); + Tcl_AppendResult(interp, + "unable to set certificate: ", + REASON(), (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } + } else { + certfile = (char*)X509_get_default_cert_file(); + + if (SSL_CTX_use_certificate_file(ctx, certfile, + SSL_FILETYPE_PEM) <= 0) { +#if 0 + Tcl_DStringFree(&ds); + Tcl_AppendResult(interp, + "unable to use default certificate file ", certfile, ": ", + REASON(), (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; +#endif + } + } + + /* set our private key */ + if (load_private_key) { + if (keyfile == NULL && key == NULL) { + keyfile = certfile; + } + + if (keyfile != NULL) { + /* get the private key associated with this certificate */ + if (keyfile == NULL) { + keyfile = certfile; + } + + if (SSL_CTX_use_PrivateKey_file(ctx, F2N( keyfile, &ds), SSL_FILETYPE_PEM) <= 0) { + Tcl_DStringFree(&ds); + /* flush the passphrase which might be left in the result */ + Tcl_SetResult(interp, NULL, TCL_STATIC); + Tcl_AppendResult(interp, + "unable to set public key file ", keyfile, " ", + REASON(), (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } + + Tcl_DStringFree(&ds); + } else if (key != NULL) { + if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, ctx, key,key_len) <= 0) { + Tcl_DStringFree(&ds); + /* flush the passphrase which might be left in the result */ + Tcl_SetResult(interp, NULL, TCL_STATIC); + Tcl_AppendResult(interp, + "unable to set public key: ", + REASON(), (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } + } + /* Now we know that a key and cert have been set against + * the SSL context */ + if (!SSL_CTX_check_private_key(ctx)) { + Tcl_AppendResult(interp, + "private key does not match the certificate public key", + (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } + } + + /* Set verification CAs */ + Tcl_DStringInit(&ds); + Tcl_DStringInit(&ds1); + if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CAdir, &ds1)) || + !SSL_CTX_set_default_verify_paths(ctx)) { +#if 0 + Tcl_DStringFree(&ds); + Tcl_DStringFree(&ds1); + /* Don't currently care if this fails */ + Tcl_AppendResult(interp, "SSL default verify paths: ", + REASON(), (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; +#endif + } + + /* https://sourceforge.net/p/tls/bugs/57/ */ + /* XXX:TODO: Let the user supply values here instead of something that exists on the filesystem */ + if ( CAfile != NULL ) { + STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file( F2N(CAfile, &ds) ); + if ( certNames != NULL ) { + SSL_CTX_set_client_CA_list(ctx, certNames ); + } + } + + Tcl_DStringFree(&ds); + Tcl_DStringFree(&ds1); + return ctx; +} + +/* + *------------------------------------------------------------------- + * + * StatusObjCmd -- return certificate for connected peer. + * + * Results: + * A standard Tcl result. + * + * Side effects: + * None. + * + *------------------------------------------------------------------- + */ +static int +StatusObjCmd( + TCL_UNUSED(void *), + Tcl_Interp *interp, + int objc, + Tcl_Obj *const objv[]) +{ + State *statePtr; + X509 *peer; + Tcl_Obj *objPtr; + Tcl_Channel chan; + char *channelName, *ciphers; + int mode; + + dprintf("Called"); + + switch (objc) { + case 2: + channelName = Tcl_GetString(objv[1]); + break; + + case 3: + if (!strcmp (Tcl_GetString (objv[1]), "-local")) { + channelName = Tcl_GetString(objv[2]); + break; + } + /* fallthrough */ + default: + Tcl_WrongNumArgs(interp, 1, objv, "?-local? channel"); + return TCL_ERROR; + } + + chan = Tcl_GetChannel(interp, channelName, &mode); + if (chan == (Tcl_Channel) NULL) { + return TCL_ERROR; + } + /* + * Make sure to operate on the topmost channel + */ + chan = Tcl_GetTopChannel(chan); + if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { + Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), + "\": not a TLS channel", (char *)NULL); + return TCL_ERROR; + } + statePtr = (State *) Tcl_GetChannelInstanceData(chan); + if (objc == 2) { + peer = SSL_get_peer_certificate(statePtr->ssl); + } else { + peer = SSL_get_certificate(statePtr->ssl); + } + if (peer) { + objPtr = Tls_NewX509Obj(interp, peer); + if (objc == 2) { X509_free(peer); } + } else { + objPtr = Tcl_NewListObj(0, NULL); + } + + Tcl_ListObjAppendElement (interp, objPtr, + Tcl_NewStringObj ("sbits", -1)); + Tcl_ListObjAppendElement (interp, objPtr, + Tcl_NewIntObj (SSL_get_cipher_bits (statePtr->ssl, NULL))); + + ciphers = (char*)SSL_get_cipher(statePtr->ssl); + if (ciphers != NULL && strcmp(ciphers, "(NONE)")!=0) { + Tcl_ListObjAppendElement(interp, objPtr, + Tcl_NewStringObj("cipher", -1)); + Tcl_ListObjAppendElement(interp, objPtr, + Tcl_NewStringObj(SSL_get_cipher(statePtr->ssl), -1)); + } + + Tcl_ListObjAppendElement(interp, objPtr, + Tcl_NewStringObj("version", -1)); + Tcl_ListObjAppendElement(interp, objPtr, + Tcl_NewStringObj(SSL_get_version(statePtr->ssl), -1)); + + Tcl_SetObjResult( interp, objPtr); + return TCL_OK; +} + +/* + *------------------------------------------------------------------- + * + * VersionObjCmd -- return version string from OpenSSL. + * + * Results: + * A standard Tcl result. + * + * Side effects: + * None. + * + *------------------------------------------------------------------- + */ +static int +VersionObjCmd( + TCL_UNUSED(void *), + Tcl_Interp *interp, + TCL_UNUSED(int) /* objc */, + TCL_UNUSED(Tcl_Obj *const *) /* objv */) +{ + Tcl_Obj *objPtr; + + dprintf("Called"); + + objPtr = Tcl_NewStringObj(OPENSSL_VERSION_TEXT, -1); + + Tcl_SetObjResult(interp, objPtr); + return TCL_OK; +} + +/* + *------------------------------------------------------------------- + * + * MiscObjCmd -- misc commands + * + * Results: + * A standard Tcl result. + * + * Side effects: + * None. + * + *------------------------------------------------------------------- + */ +static int +MiscObjCmd( + TCL_UNUSED(void *), + Tcl_Interp *interp, + int objc, + Tcl_Obj *const objv[]) +{ + static const char *commands [] = { "req", NULL }; + enum command { C_REQ, C_DUMMY }; + int cmd; + + dprintf("Called"); + + if (objc < 2) { + Tcl_WrongNumArgs(interp, 1, objv, "subcommand ?args?"); + return TCL_ERROR; + } + if (Tcl_GetIndexFromObj(interp, objv[1], commands, + "command", 0,&cmd) != TCL_OK) { + return TCL_ERROR; + } + + switch ((enum command) cmd) { + case C_REQ: { + EVP_PKEY *pkey=NULL; + X509 *cert=NULL; + X509_NAME *name=NULL; + Tcl_Obj **listv; + Tcl_Size listc,i; + + BIO *out=NULL; + + const char *k_C="",*k_ST="",*k_L="",*k_O="",*k_OU="",*k_CN="",*k_Email=""; + char *keyout,*pemout,*str; + int keysize,serial=0,days=365; + + if ((objc<5) || (objc>6)) { + Tcl_WrongNumArgs(interp, 2, objv, "keysize keyfile certfile ?info?"); + return TCL_ERROR; + } + + if (Tcl_GetIntFromObj(interp, objv[2], &keysize) != TCL_OK) { + return TCL_ERROR; + } + keyout=Tcl_GetString(objv[3]); + pemout=Tcl_GetString(objv[4]); + + if (objc>=6) { + if (Tcl_ListObjGetElements(interp, objv[5], + &listc, &listv) != TCL_OK) { + return TCL_ERROR; + } + + if ((listc%2) != 0) { + Tcl_SetResult(interp,"Information list must have even number of arguments",NULL); + return TCL_ERROR; + } + for (i=0; i 8 +Tls_Free( void *blockPtr ) +#else +Tls_Free( char *blockPtr ) +#endif +{ + State *statePtr = (State *)blockPtr; + + dprintf("Called"); + + Tls_Clean(statePtr); + ckfree(blockPtr); +} + +/* + *------------------------------------------------------------------- + * + * Tls_Clean -- + * + * This procedure cleans up when a SSL socket based channel + * is closed and its reference count falls below 1. This should + * be called synchronously by the CloseProc, not in the + * EventuallyFree callback. + * + * Results: + * none + * + * Side effects: + * Frees all the state + * + *------------------------------------------------------------------- + */ +void Tls_Clean(State *statePtr) { + dprintf("Called"); + + /* + * we're assuming here that we're single-threaded + */ + if (statePtr->timer != (Tcl_TimerToken) NULL) { + Tcl_DeleteTimerHandler(statePtr->timer); + statePtr->timer = NULL; + } + + if (statePtr->bio) { + /* This will call SSL_shutdown. Bug 1414045 */ + dprintf("BIO_free_all(%p)", statePtr->bio); + BIO_free_all(statePtr->bio); + statePtr->bio = NULL; + } + if (statePtr->ssl) { + dprintf("SSL_free(%p)", statePtr->ssl); + SSL_free(statePtr->ssl); + statePtr->ssl = NULL; + } + if (statePtr->ctx) { + SSL_CTX_free(statePtr->ctx); + statePtr->ctx = NULL; + } + if (statePtr->callback) { + Tcl_DecrRefCount(statePtr->callback); + statePtr->callback = NULL; + } + if (statePtr->password) { + Tcl_DecrRefCount(statePtr->password); + statePtr->password = NULL; + } + + dprintf("Returning"); +} + +/* + *------------------------------------------------------------------- + * + * Tls_Init -- + * + * This is a package initialization procedure, which is called + * by Tcl when this package is to be added to an interpreter. + * + * Results: Ssl configured and loaded + * + * Side effects: + * create the ssl command, initialise ssl context + * + *------------------------------------------------------------------- + */ + +DLLEXPORT int Tls_Init(Tcl_Interp *interp) { + const char tlsTclInitScript[] = { +#include "tls.tcl.h" + 0x00 + }; + + dprintf("Called"); + + /* + * We only support Tcl 8.4 or newer + */ + if ( +#ifdef USE_TCL_STUBS + Tcl_InitStubs(interp, "8.6-", 0) +#else + Tcl_PkgRequire(interp, "Tcl", "8.6-", 0) +#endif + == NULL) { + return TCL_ERROR; + } + + if (TlsLibInit(0) != TCL_OK) { + Tcl_AppendResult(interp, "could not initialize SSL library", (char *)NULL); + return TCL_ERROR; + } + + Tcl_CreateObjCommand(interp, "tls::ciphers", CiphersObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL); + Tcl_CreateObjCommand(interp, "tls::handshake", HandshakeObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL); + Tcl_CreateObjCommand(interp, "tls::import", ImportObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL); + Tcl_CreateObjCommand(interp, "tls::unimport", UnimportObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL); + Tcl_CreateObjCommand(interp, "tls::status", StatusObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL); + Tcl_CreateObjCommand(interp, "tls::version", VersionObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL); + Tcl_CreateObjCommand(interp, "tls::misc", MiscObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL); + + if (interp) { + Tcl_Eval(interp, tlsTclInitScript); + } + + return(Tcl_PkgProvide(interp, "tls", PACKAGE_VERSION)); +} + +/* + *------------------------------------------------------* + * + * Tls_SafeInit -- + * + * ------------------------------------------------* + * Standard procedure required by 'load'. + * Initializes this extension for a safe interpreter. + * ------------------------------------------------* + * + * Sideeffects: + * As of 'Tls_Init' + * + * Result: + * A standard Tcl error code. + * + *------------------------------------------------------* + */ + +DLLEXPORT int Tls_SafeInit(Tcl_Interp *interp) { + dprintf("Called"); + return(Tls_Init(interp)); +} + +/* + *------------------------------------------------------* + * + * TlsLibInit -- + * + * ------------------------------------------------* + * Initializes SSL library once per application + * ------------------------------------------------* + * + * Side effects: + * initilizes SSL library + * + * Result: + * none + * + *------------------------------------------------------* + */ +static int TlsLibInit(int uninitialize) { + static int initialized = 0; + int status = TCL_OK; +#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) + size_t num_locks; +#endif + + if (uninitialize) { + if (!initialized) { + dprintf("Asked to uninitialize, but we are not initialized"); + + return(TCL_OK); + } + + dprintf("Asked to uninitialize"); + +#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) + Tcl_MutexLock(&init_mx); + + CRYPTO_set_locking_callback(NULL); + CRYPTO_set_id_callback(NULL); + + if (locks) { + free(locks); + locks = NULL; + locksCount = 0; + } +#endif + initialized = 0; + +#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) + Tcl_MutexUnlock(&init_mx); +#endif + + return(TCL_OK); + } + + if (initialized) { + dprintf("Called, but using cached value"); + return(status); + } + + dprintf("Called"); + +#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) + Tcl_MutexLock(&init_mx); +#endif + initialized = 1; + +#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) + num_locks = CRYPTO_num_locks(); + locksCount = num_locks; + locks = malloc(sizeof(*locks) * num_locks); + memset(locks, 0, sizeof(*locks) * num_locks); + + CRYPTO_set_locking_callback(CryptoThreadLockCallback); + CRYPTO_set_id_callback(CryptoThreadIdCallback); +#endif + + if (SSL_library_init() != 1) { + status = TCL_ERROR; + goto done; + } + + SSL_load_error_strings(); + ERR_load_crypto_strings(); + + BIO_new_tcl(NULL, 0); + +#if 0 + /* + * XXX:TODO: Remove this code and replace it with a check + * for enough entropy and do not try to create our own + * terrible entropy + */ + /* + * Seed the random number generator in the SSL library, + * using the do/while construct because of the bug note in the + * OpenSSL FAQ at http://www.openssl.org/support/faq.html#USER1 + * + * The crux of the problem is that Solaris 7 does not have a + * /dev/random or /dev/urandom device so it cannot gather enough + * entropy from the RAND_seed() when TLS initializes and refuses + * to go further. Earlier versions of OpenSSL carried on regardless. + */ + srand((unsigned int) time((time_t *) NULL)); + do { + for (i = 0; i < 16; i++) { + rnd_seed[i] = 1 + (char) (255.0 * rand()/(RAND_MAX+1.0)); + } + RAND_seed(rnd_seed, sizeof(rnd_seed)); + } while (RAND_status() != 1); +#endif + +done: +#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) + Tcl_MutexUnlock(&init_mx); +#endif + + return(status); +} ADDED generic/tls.h Index: generic/tls.h ================================================================== --- /dev/null +++ generic/tls.h @@ -0,0 +1,29 @@ +/* + * Copyright (C) 1997-2000 Matt Newman + * + * TLS (aka SSL) Channel - can be layered on any bi-directional + * Tcl_Channel (Note: Requires Trf Core Patch) + * + * This was built from scratch based upon observation of OpenSSL 0.9.2B + * + * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for + * providing the Tcl_ReplaceChannel mechanism and working closely with me + * to enhance it to support full fileevent semantics. + * + * Also work done by the follow people provided the impetus to do this "right":- + * tclSSL (Colin McCormack, Shared Technology) + * SSLtcl (Peter Antman) + * + */ +#ifndef _TLS_H +#define _TLS_H + +#include + +/* + * Initialization routines -- our entire public C API. + */ +DLLEXPORT int Tls_Init(Tcl_Interp *interp); +DLLEXPORT int Tls_SafeInit(Tcl_Interp *interp); + +#endif /* _TLS_H */ ADDED generic/tlsBIO.c Index: generic/tlsBIO.c ================================================================== --- /dev/null +++ generic/tlsBIO.c @@ -0,0 +1,323 @@ +/* + * Copyright (C) 1997-2000 Matt Newman + * + * Provides BIO layer to interface openssl to Tcl. + */ + +#include "tlsInt.h" + +#ifdef TCLTLS_OPENSSL_PRE_1_1_API +#define BIO_get_data(bio) ((bio)->ptr) +#define BIO_get_init(bio) ((bio)->init) +#define BIO_get_shutdown(bio) ((bio)->shutdown) +#define BIO_set_data(bio, val) (bio)->ptr = (val) +#define BIO_set_init(bio, val) (bio)->init = (val) +#define BIO_set_shutdown(bio, val) (bio)->shutdown = (val) + +/* XXX: This assumes the variable being assigned to is BioMethods */ +#define BIO_meth_new(type_, name_) (BIO_METHOD *)Tcl_Alloc(sizeof(BIO_METHOD)); \ + memset(BioMethods, 0, sizeof(BIO_METHOD)); \ + BioMethods->type = type_; \ + BioMethods->name = name_; +#define BIO_meth_set_write(bio, val) (bio)->bwrite = val; +#define BIO_meth_set_read(bio, val) (bio)->bread = val; +#define BIO_meth_set_puts(bio, val) (bio)->bputs = val; +#define BIO_meth_set_ctrl(bio, val) (bio)->ctrl = val; +#define BIO_meth_set_create(bio, val) (bio)->create = val; +#define BIO_meth_set_destroy(bio, val) (bio)->destroy = val; +#endif + +/* + * Forward declarations + */ + +static int BioWrite (BIO *h, const char *buf, int num); +static int BioRead (BIO *h, char *buf, int num); +static int BioPuts (BIO *h, const char *str); +static long BioCtrl (BIO *h, int cmd, long arg1, void *ptr); +static int BioNew (BIO *h); +static int BioFree (BIO *h); + +BIO *BIO_new_tcl(State *statePtr, int flags) { + BIO *bio; + static BIO_METHOD *BioMethods = NULL; +#ifdef TCLTLS_SSL_USE_FASTPATH + Tcl_Channel parentChannel; + const Tcl_ChannelType *parentChannelType; + void *parentChannelFdIn_p, *parentChannelFdOut_p; + int parentChannelFdIn, parentChannelFdOut, parentChannelFd; + int validParentChannelFd; + int tclGetChannelHandleRet; +#endif + + dprintf("BIO_new_tcl() called"); + + if (BioMethods == NULL) { + BioMethods = BIO_meth_new(BIO_TYPE_TCL, "tcl"); + BIO_meth_set_write(BioMethods, BioWrite); + BIO_meth_set_read(BioMethods, BioRead); + BIO_meth_set_puts(BioMethods, BioPuts); + BIO_meth_set_ctrl(BioMethods, BioCtrl); + BIO_meth_set_create(BioMethods, BioNew); + BIO_meth_set_destroy(BioMethods, BioFree); + } + + if (statePtr == NULL) { + dprintf("Asked to setup a NULL state, just creating the initial configuration"); + + return(NULL); + } + +#ifdef TCLTLS_SSL_USE_FASTPATH + /* + * If the channel can be mapped back to a file descriptor, just use the file descriptor + * with the SSL library since it will likely be optimized for this. + */ + parentChannel = Tls_GetParent(statePtr, 0); + parentChannelType = Tcl_GetChannelType(parentChannel); + + validParentChannelFd = 0; + if (strcmp(parentChannelType->typeName, "tcp") == 0) { + tclGetChannelHandleRet = Tcl_GetChannelHandle(parentChannel, TCL_READABLE, &parentChannelFdIn_p); + if (tclGetChannelHandleRet == TCL_OK) { + tclGetChannelHandleRet = Tcl_GetChannelHandle(parentChannel, TCL_WRITABLE, &parentChannelFdOut_p); + if (tclGetChannelHandleRet == TCL_OK) { + parentChannelFdIn = PTR2INT(parentChannelFdIn_p); + parentChannelFdOut = PTR2INT(parentChannelFdOut_p); + if (parentChannelFdIn == parentChannelFdOut) { + parentChannelFd = parentChannelFdIn; + validParentChannelFd = 1; + } + } + } + } + + if (validParentChannelFd) { + dprintf("We found a shortcut, this channel is backed by a socket: %i", parentChannelFdIn); + bio = BIO_new_socket(parentChannelFd, flags); + statePtr->flags |= TLS_TCL_FASTPATH; + return(bio); + } + + dprintf("Falling back to Tcl I/O for this channel"); +#endif + + bio = BIO_new(BioMethods); + BIO_set_data(bio, statePtr); + BIO_set_shutdown(bio, flags); + BIO_set_init(bio, 1); + + return(bio); +} + +static int BioWrite(BIO *bio, const char *buf, int bufLen) { + Tcl_Channel chan; + int ret; + int tclEofChan, tclErrno; + + chan = Tls_GetParent((State *) BIO_get_data(bio), 0); + + dprintf("[chan=%p] BioWrite(%p, , %d)", (void *)chan, (void *) bio, bufLen); + + ret = Tcl_WriteRaw(chan, buf, bufLen); + + tclEofChan = Tcl_Eof(chan); + tclErrno = Tcl_GetErrno(); + + dprintf("[chan=%p] BioWrite(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, Tcl_GetErrno()); + + BIO_clear_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY); + + if (tclEofChan && ret <= 0) { + dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF"); + Tcl_SetErrno(ECONNRESET); + ret = 0; + } else if (ret == 0) { + dprintf("Got 0 from Tcl_WriteRaw, and EOF is not set; ret = 0"); + dprintf("Setting retry read flag"); + BIO_set_retry_read(bio); + } else if (ret < 0) { + dprintf("We got some kind of I/O error"); + + if (tclErrno == EAGAIN) { + dprintf("It's EAGAIN"); + } else { + dprintf("It's an unepxected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno); + } + } else { + dprintf("Successfully wrote some data"); + } + + if (ret != -1 || (ret == -1 && tclErrno == EAGAIN)) { + if (BIO_should_read(bio)) { + dprintf("Setting should retry read flag"); + + BIO_set_retry_read(bio); + } + } + + return(ret); +} + +static int BioRead(BIO *bio, char *buf, int bufLen) { + Tcl_Channel chan; + int ret = 0; + int tclEofChan, tclErrno; + + chan = Tls_GetParent((State *) BIO_get_data(bio), 0); + + dprintf("[chan=%p] BioRead(%p, , %d)", (void *) chan, (void *) bio, bufLen); + + if (buf == NULL) { + return 0; + } + + ret = Tcl_ReadRaw(chan, buf, bufLen); + + tclEofChan = Tcl_Eof(chan); + tclErrno = Tcl_GetErrno(); + + dprintf("[chan=%p] BioRead(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, tclErrno); + + BIO_clear_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY); + + if (tclEofChan && ret <= 0) { + dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF"); + Tcl_SetErrno(ECONNRESET); + ret = 0; + } else if (ret == 0) { + dprintf("Got 0 from Tcl_Read or Tcl_ReadRaw, and EOF is not set; ret = 0"); + dprintf("Setting retry read flag"); + BIO_set_retry_read(bio); + } else if (ret < 0) { + dprintf("We got some kind of I/O error"); + + if (tclErrno == EAGAIN) { + dprintf("It's EAGAIN"); + } else { + dprintf("It's an unepxected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno); + } + } else { + dprintf("Successfully read some data"); + } + + if (ret != -1 || (ret == -1 && tclErrno == EAGAIN)) { + if (BIO_should_write(bio)) { + dprintf("Setting should retry write flag"); + + BIO_set_retry_write(bio); + } + } + + dprintf("BioRead(%p, , %d) [%p] returning %i", (void *) bio, bufLen, (void *) chan, ret); + + return(ret); +} + +static int BioPuts(BIO *bio, const char *str) { + dprintf("BioPuts(%p, ) called", bio, str); + + return BioWrite(bio, str, (int) strlen(str)); +} + +static long BioCtrl(BIO *bio, int cmd, long num, void *ptr) { + Tcl_Channel chan; + long ret = 1; + + chan = Tls_GetParent((State *) BIO_get_data(bio), 0); + + dprintf("BioCtrl(%p, 0x%x, 0x%lx, %p)", bio, cmd, num, ptr); + + switch (cmd) { + case BIO_CTRL_RESET: + dprintf("Got BIO_CTRL_RESET"); + num = 0; + ret = 0; + break; + case BIO_C_FILE_SEEK: + dprintf("Got BIO_C_FILE_SEEK"); + ret = 0; + break; + case BIO_C_FILE_TELL: + dprintf("Got BIO_C_FILE_TELL"); + ret = 0; + break; + case BIO_CTRL_INFO: + dprintf("Got BIO_CTRL_INFO"); + ret = 1; + break; + case BIO_C_SET_FD: + dprintf("Unsupported call: BIO_C_SET_FD"); + ret = -1; + break; + case BIO_C_GET_FD: + dprintf("Unsupported call: BIO_C_GET_FD"); + ret = -1; + break; + case BIO_CTRL_GET_CLOSE: + dprintf("Got BIO_CTRL_CLOSE"); + ret = BIO_get_shutdown(bio); + break; + case BIO_CTRL_SET_CLOSE: + dprintf("Got BIO_SET_CLOSE"); + BIO_set_shutdown(bio, num); + break; + case BIO_CTRL_EOF: + dprintf("Got BIO_CTRL_EOF"); + ret = Tcl_Eof(chan); + break; + case BIO_CTRL_PENDING: + dprintf("Got BIO_CTRL_PENDING"); + ret = ((chan) ? Tcl_InputBuffered(chan) : 0); + dprintf("BIO_CTRL_PENDING(%d)", (int) ret); + break; + case BIO_CTRL_WPENDING: + dprintf("Got BIO_CTRL_WPENDING"); + ret = 0; + break; + case BIO_CTRL_DUP: + dprintf("Got BIO_CTRL_DUP"); + break; + case BIO_CTRL_FLUSH: + dprintf("Got BIO_CTRL_FLUSH"); + ret = ((Tcl_WriteRaw(chan, "", 0) >= 0) ? 1 : -1); + dprintf("BIO_CTRL_FLUSH returning value %li", ret); + break; + default: + dprintf("Got unknown control command (%i)", cmd); + ret = -2; + break; + } + + return(ret); +} + +static int BioNew(BIO *bio) { + dprintf("BioNew(%p) called", bio); + + BIO_set_init(bio, 0); + BIO_set_data(bio, NULL); + BIO_clear_flags(bio, -1); + + return(1); +} + +static int BioFree(BIO *bio) { + if (bio == NULL) { + return(0); + } + + dprintf("BioFree(%p) called", bio); + + if (BIO_get_shutdown(bio)) { + if (BIO_get_init(bio)) { + /*shutdown(bio->num, 2) */ + /*closesocket(bio->num) */ + } + + BIO_set_init(bio, 0); + BIO_clear_flags(bio, -1); + } + + return(1); +} ADDED generic/tlsIO.c Index: generic/tlsIO.c ================================================================== --- /dev/null +++ generic/tlsIO.c @@ -0,0 +1,946 @@ +/* + * Copyright (C) 1997-2000 Matt Newman + * Copyright (C) 2000 Ajuba Solutions + * + * TLS (aka SSL) Channel - can be layered on any bi-directional + * Tcl_Channel (Note: Requires Trf Core Patch) + * + * This was built from scratch based upon observation of OpenSSL 0.9.2B + * + * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for + * providing the Tcl_ReplaceChannel mechanism and working closely with me + * to enhance it to support full fileevent semantics. + * + * Also work done by the follow people provided the impetus to do this "right": + * tclSSL (Colin McCormack, Shared Technology) + * SSLtcl (Peter Antman) + * + */ + +#include "tlsInt.h" + +/* + * Forward declarations + */ +static int TlsBlockModeProc (void *instanceData, int mode); +static int TlsCloseProc (void *instanceData, Tcl_Interp *interp); +static int TlsClose2Proc (void *instanceData, Tcl_Interp *interp, int flags); +static int TlsInputProc (void *instanceData, char *buf, int bufSize, int *errorCodePtr); +static int TlsOutputProc (void *instanceData, const char *buf, int toWrite, int *errorCodePtr); +static int TlsGetOptionProc (void *instanceData, Tcl_Interp *interp, const char *optionName, Tcl_DString *dsPtr); +static void TlsWatchProc (void *instanceData, int mask); +static int TlsGetHandleProc (void *instanceData, int direction, void **handlePtr); +static int TlsNotifyProc (void *instanceData, int mask); +static void TlsChannelHandlerTimer (void *clientData); + +/* + * TLS Channel Type + */ +static const Tcl_ChannelType tlsChannelType = { + "tls", /* typeName */ + TCL_CHANNEL_VERSION_5, /* version */ + TlsCloseProc, /* closeProc */ + TlsInputProc, /* inputProc */ + TlsOutputProc, /* outputProc */ + 0, /* seekProc */ + 0, /* setOptionProc */ + TlsGetOptionProc, /* getOptionProc */ + TlsWatchProc, /* watchProc */ + TlsGetHandleProc, /* getHandleProc */ + TlsClose2Proc, /* close2Proc */ + TlsBlockModeProc, /* blockModeProc */ + 0, /* flushProc */ + TlsNotifyProc, /* handlerProc */ + 0, /* wideSeekProc */ + 0, /* threadActionProc */ + 0 /* truncateProc */ +}; + + +/* + *------------------------------------------------------------------- + * + * Tls_ChannelType -- + * + * Return the correct TLS channel driver info + * + * Results: + * The correct channel driver for the current version of Tcl. + * + * Side effects: + * None. + * + *------------------------------------------------------------------- + */ +const Tcl_ChannelType *Tls_ChannelType(void) { + return &tlsChannelType; +} + +/* + *------------------------------------------------------------------- + * + * TlsBlockModeProc -- + * + * This procedure is invoked by the generic IO level + * to set blocking and nonblocking modes + * Results: + * 0 if successful, errno when failed. + * + * Side effects: + * Sets the device into blocking or nonblocking mode. + * + *------------------------------------------------------------------- + */ +static int TlsBlockModeProc(void *instanceData, int mode) { + State *statePtr = (State *) instanceData; + + if (mode == TCL_MODE_NONBLOCKING) { + statePtr->flags |= TLS_TCL_ASYNC; + } else { + statePtr->flags &= ~(TLS_TCL_ASYNC); + } + + return(0); +} + +/* + *------------------------------------------------------------------- + * + * TlsCloseProc -- + * + * This procedure is invoked by the generic IO level to perform + * channel-type-specific cleanup when a SSL socket based channel + * is closed. + * + * Note: we leave the underlying socket alone, is this right? + * + * Results: + * 0 if successful, the value of Tcl_GetErrno() if failed. + * + * Side effects: + * Closes the socket of the channel. + * + *------------------------------------------------------------------- + */ +static int TlsCloseProc(void *instanceData, TCL_UNUSED(Tcl_Interp *)) { + State *statePtr = (State *) instanceData; + + dprintf("TlsCloseProc(%p)", statePtr); + + Tls_Clean(statePtr); + Tcl_EventuallyFree(statePtr, Tls_Free); + + dprintf("Returning TCL_OK"); + + return(TCL_OK); +} + +static int TlsClose2Proc(void *instanceData, Tcl_Interp *interp, int flags) { + if (!(flags&(TCL_CLOSE_READ|TCL_CLOSE_WRITE))) { + return TlsCloseProc(instanceData, interp); + } + return EINVAL; +} + +/* + *------------------------------------------------------* + * + * Tls_WaitForConnect -- + * + * Sideeffects: + * Issues SSL_accept or SSL_connect + * + * Result: + * None. + * + *------------------------------------------------------* + */ +int Tls_WaitForConnect(State *statePtr, int *errorCodePtr, int handshakeFailureIsPermanent) { + unsigned long backingError; + int err, rc; + int bioShouldRetry; + + dprintf("WaitForConnect(%p)", statePtr); + dprintFlags(statePtr); + + if (!(statePtr->flags & TLS_TCL_INIT)) { + dprintf("Tls_WaitForConnect called on already initialized channel -- returning with immediate success"); + *errorCodePtr = 0; + return(0); + } + + if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) { + /* + * Different types of operations have different requirements + * SSL being established + */ + if (handshakeFailureIsPermanent) { + dprintf("Asked to wait for a TLS handshake that has already failed. Returning fatal error"); + *errorCodePtr = ECONNABORTED; + } else { + dprintf("Asked to wait for a TLS handshake that has already failed. Returning soft error"); + *errorCodePtr = ECONNRESET; + } + return(-1); + } + + for (;;) { + /* Not initialized yet! */ + if (statePtr->flags & TLS_TCL_SERVER) { + dprintf("Calling SSL_accept()"); + + err = SSL_accept(statePtr->ssl); + } else { + dprintf("Calling SSL_connect()"); + + err = SSL_connect(statePtr->ssl); + } + + if (err > 0) { + dprintf("That seems to have gone okay"); + + err = BIO_flush(statePtr->bio); + + if (err <= 0) { + dprintf("Flushing the lower layers failed, this will probably terminate this session"); + } + } + + rc = SSL_get_error(statePtr->ssl, err); + + dprintf("Got error: %i (rc = %i)", err, rc); + + bioShouldRetry = 0; + if (err <= 0) { + if (rc == SSL_ERROR_WANT_CONNECT || rc == SSL_ERROR_WANT_ACCEPT || rc == SSL_ERROR_WANT_READ || rc == SSL_ERROR_WANT_WRITE) { + bioShouldRetry = 1; + } else if (BIO_should_retry(statePtr->bio)) { + bioShouldRetry = 1; + } else if (rc == SSL_ERROR_SYSCALL && Tcl_GetErrno() == EAGAIN) { + bioShouldRetry = 1; + } + } else { + if (!SSL_is_init_finished(statePtr->ssl)) { + bioShouldRetry = 1; + } + } + + if (bioShouldRetry) { + dprintf("The I/O did not complete -- but we should try it again"); + + if (statePtr->flags & TLS_TCL_ASYNC) { + dprintf("Returning EAGAIN so that it can be retried later"); + + *errorCodePtr = EAGAIN; + + return(-1); + } else { + dprintf("Doing so now"); + + continue; + } + } + + dprintf("We have either completely established the session or completely failed it -- there is no more need to ever retry it though"); + break; + } + + + *errorCodePtr = EINVAL; + + switch (rc) { + case SSL_ERROR_NONE: + /* The connection is up, we are done here */ + dprintf("The connection is up"); + break; + case SSL_ERROR_ZERO_RETURN: + dprintf("SSL_ERROR_ZERO_RETURN: Connect returned an invalid value...") + return(-1); + case SSL_ERROR_SYSCALL: + backingError = ERR_get_error(); + + if (backingError == 0 && err == 0) { + dprintf("EOF reached") + *errorCodePtr = ECONNRESET; + } else if (backingError == 0 && err == -1) { + dprintf("I/O error occured (errno = %lu)", (unsigned long) Tcl_GetErrno()); + *errorCodePtr = Tcl_GetErrno(); + if (*errorCodePtr == ECONNRESET) { + *errorCodePtr = ECONNABORTED; + } + } else { + dprintf("I/O error occured (backingError = %lu)", backingError); + *errorCodePtr = backingError; + if (*errorCodePtr == ECONNRESET) { + *errorCodePtr = ECONNABORTED; + } + } + + statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; + + return(-1); + case SSL_ERROR_SSL: + dprintf("Got permanent fatal SSL error, aborting immediately"); + Tls_Error(statePtr, (char *)ERR_reason_error_string(ERR_get_error())); + statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; + *errorCodePtr = ECONNABORTED; + return(-1); + case SSL_ERROR_WANT_CONNECT: + case SSL_ERROR_WANT_ACCEPT: + case SSL_ERROR_WANT_X509_LOOKUP: + default: + dprintf("We got a confusing reply: %i", rc); + *errorCodePtr = Tcl_GetErrno(); + dprintf("ERR(%d, %d) ", rc, *errorCodePtr); + return(-1); + } + +#if 0 + if (statePtr->flags & TLS_TCL_SERVER) { + dprintf("This is an TLS server, checking the certificate for the peer"); + + err = SSL_get_verify_result(statePtr->ssl); + if (err != X509_V_OK) { + dprintf("Invalid certificate, returning in failure"); + + Tls_Error(statePtr, (char *)X509_verify_cert_error_string(err)); + statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; + *errorCodePtr = ECONNABORTED; + return(-1); + } + } +#endif + + dprintf("Removing the \"TLS_TCL_INIT\" flag since we have completed the handshake"); + statePtr->flags &= ~TLS_TCL_INIT; + + dprintf("Returning in success"); + *errorCodePtr = 0; + + return(0); +} + +/* + *------------------------------------------------------------------- + * + * TlsInputProc -- + * + * This procedure is invoked by the generic IO level + * to read input from a SSL socket based channel. + * + * Results: + * The number of bytes read is returned or -1 on error. An output + * argument contains the POSIX error code on error, or zero if no + * error occurred. + * + * Side effects: + * Reads input from the input device of the channel. + * + *------------------------------------------------------------------- + */ + +static int TlsInputProc(void *instanceData, char *buf, int bufSize, int *errorCodePtr) { + unsigned long backingError; + State *statePtr = (State *) instanceData; + int bytesRead; + int tlsConnect; + int err; + + *errorCodePtr = 0; + + dprintf("BIO_read(%d)", bufSize); + + if (statePtr->flags & TLS_TCL_CALLBACK) { + /* don't process any bytes while verify callback is running */ + dprintf("Callback is running, reading 0 bytes"); + return(0); + } + + dprintf("Calling Tls_WaitForConnect"); + tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 0); + if (tlsConnect < 0) { + dprintf("Got an error waiting to connect (tlsConnect = %i, *errorCodePtr = %i)", tlsConnect, *errorCodePtr); + + bytesRead = -1; + if (*errorCodePtr == ECONNRESET) { + dprintf("Got connection reset"); + /* Soft EOF */ + *errorCodePtr = 0; + bytesRead = 0; + } + + return(bytesRead); + } + + /* + * We need to clear the SSL error stack now because we sometimes reach + * this function with leftover errors in the stack. If BIO_read + * returns -1 and intends EAGAIN, there is a leftover error, it will be + * misconstrued as an error, not EAGAIN. + * + * Alternatively, we may want to handle the <0 return codes from + * BIO_read specially (as advised in the RSA docs). TLS's lower level BIO + * functions play with the retry flags though, and this seems to work + * correctly. Similar fix in TlsOutputProc. - hobbs + */ + ERR_clear_error(); + bytesRead = BIO_read(statePtr->bio, buf, bufSize); + dprintf("BIO_read -> %d", bytesRead); + + err = SSL_get_error(statePtr->ssl, bytesRead); + +#if 0 + if (bytesRead <= 0) { + if (BIO_should_retry(statePtr->bio)) { + dprintf("I/O failed, will retry based on EAGAIN"); + *errorCodePtr = EAGAIN; + } + } +#endif + + switch (err) { + case SSL_ERROR_NONE: + dprintBuffer(buf, bytesRead); + break; + case SSL_ERROR_SSL: + dprintf("SSL negotiation error, indicating that the connection has been aborted"); + + Tls_Error(statePtr, TCLTLS_SSL_ERROR(statePtr->ssl, bytesRead)); + *errorCodePtr = ECONNABORTED; + bytesRead = -1; + + break; + case SSL_ERROR_SYSCALL: + backingError = ERR_get_error(); + + if (backingError == 0 && bytesRead == 0) { + dprintf("EOF reached") + *errorCodePtr = 0; + bytesRead = 0; + } else if (backingError == 0 && bytesRead == -1) { + dprintf("I/O error occured (errno = %lu)", (unsigned long) Tcl_GetErrno()); + *errorCodePtr = Tcl_GetErrno(); + bytesRead = -1; + } else { + dprintf("I/O error occured (backingError = %lu)", backingError); + *errorCodePtr = backingError; + bytesRead = -1; + } + + break; + case SSL_ERROR_ZERO_RETURN: + dprintf("Got SSL_ERROR_ZERO_RETURN, this means an EOF has been reached"); + bytesRead = 0; + *errorCodePtr = 0; + break; + case SSL_ERROR_WANT_READ: + dprintf("Got SSL_ERROR_WANT_READ, mapping this to EAGAIN"); + bytesRead = -1; + *errorCodePtr = EAGAIN; + break; + default: + dprintf("Unknown error (err = %i), mapping to EOF", err); + *errorCodePtr = 0; + bytesRead = 0; + break; + } + + dprintf("Input(%d) -> %d [%d]", bufSize, bytesRead, *errorCodePtr); + return(bytesRead); +} + +/* + *------------------------------------------------------------------- + * + * TlsOutputProc -- + * + * This procedure is invoked by the generic IO level + * to write output to a SSL socket based channel. + * + * Results: + * The number of bytes written is returned. An output argument is + * set to a POSIX error code if an error occurred, or zero. + * + * Side effects: + * Writes output on the output device of the channel. + * + *------------------------------------------------------------------- + */ + +static int TlsOutputProc(void *instanceData, const char *buf, int toWrite, int *errorCodePtr) { + unsigned long backingError; + State *statePtr = (State *) instanceData; + int written, err; + int tlsConnect; + + *errorCodePtr = 0; + + dprintf("BIO_write(%p, %d)", (void *) statePtr, toWrite); + dprintBuffer(buf, toWrite); + + if (statePtr->flags & TLS_TCL_CALLBACK) { + dprintf("Don't process output while callbacks are running") + written = -1; + *errorCodePtr = EAGAIN; + return(-1); + } + + dprintf("Calling Tls_WaitForConnect"); + tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 1); + if (tlsConnect < 0) { + dprintf("Got an error waiting to connect (tlsConnect = %i, *errorCodePtr = %i)", tlsConnect, *errorCodePtr); + + written = -1; + if (*errorCodePtr == ECONNRESET) { + dprintf("Got connection reset"); + /* Soft EOF */ + *errorCodePtr = 0; + written = 0; + } + + return(written); + } + + if (toWrite == 0) { + dprintf("zero-write"); + err = BIO_flush(statePtr->bio); + + if (err <= 0) { + dprintf("Flushing failed"); + + *errorCodePtr = EIO; + written = 0; + return(-1); + } + + written = 0; + *errorCodePtr = 0; + return(0); + } + + /* + * We need to clear the SSL error stack now because we sometimes reach + * this function with leftover errors in the stack. If BIO_write + * returns -1 and intends EAGAIN, there is a leftover error, it will be + * misconstrued as an error, not EAGAIN. + * + * Alternatively, we may want to handle the <0 return codes from + * BIO_write specially (as advised in the RSA docs). TLS's lower level + * BIO functions play with the retry flags though, and this seems to + * work correctly. Similar fix in TlsInputProc. - hobbs + */ + ERR_clear_error(); + written = BIO_write(statePtr->bio, buf, toWrite); + dprintf("BIO_write(%p, %d) -> [%d]", (void *) statePtr, toWrite, written); + + err = SSL_get_error(statePtr->ssl, written); + switch (err) { + case SSL_ERROR_NONE: + if (written < 0) { + written = 0; + } + break; + case SSL_ERROR_WANT_WRITE: + dprintf("Got SSL_ERROR_WANT_WRITE, mapping it to EAGAIN"); + *errorCodePtr = EAGAIN; + written = -1; + break; + case SSL_ERROR_WANT_READ: + dprintf(" write R BLOCK"); + break; + case SSL_ERROR_WANT_X509_LOOKUP: + dprintf(" write X BLOCK"); + break; + case SSL_ERROR_ZERO_RETURN: + dprintf(" closed"); + written = 0; + *errorCodePtr = 0; + break; + case SSL_ERROR_SYSCALL: + backingError = ERR_get_error(); + + if (backingError == 0 && written == 0) { + dprintf("EOF reached") + *errorCodePtr = 0; + written = 0; + } else if (backingError == 0 && written == -1) { + dprintf("I/O error occured (errno = %lu)", (unsigned long) Tcl_GetErrno()); + *errorCodePtr = Tcl_GetErrno(); + written = -1; + } else { + dprintf("I/O error occured (backingError = %lu)", backingError); + *errorCodePtr = backingError; + written = -1; + } + + break; + case SSL_ERROR_SSL: + Tls_Error(statePtr, TCLTLS_SSL_ERROR(statePtr->ssl, written)); + *errorCodePtr = ECONNABORTED; + written = -1; + break; + default: + dprintf(" unknown err: %d", err); + break; + } + + dprintf("Output(%d) -> %d", toWrite, written); + return(written); +} + +/* + *------------------------------------------------------------------- + * + * TlsGetOptionProc -- + * + * Computes an option value for a SSL socket based channel, or a + * list of all options and their values. + * + * Results: + * A standard Tcl result. The value of the specified option or a + * list of all options and their values is returned in the + * supplied DString. + * + * Side effects: + * None. + * + *------------------------------------------------------------------- + */ +static int +TlsGetOptionProc(void *instanceData, /* Socket state. */ + Tcl_Interp *interp, /* For errors - can be NULL. */ + const char *optionName, /* Name of the option to + * retrieve the value for, or + * NULL to get all options and + * their values. */ + Tcl_DString *dsPtr) /* Where to store the computed value + * initialized by caller. */ +{ + State *statePtr = (State *) instanceData; + + Tcl_Channel downChan = Tls_GetParent(statePtr, TLS_TCL_FASTPATH); + Tcl_DriverGetOptionProc *getOptionProc; + + getOptionProc = Tcl_ChannelGetOptionProc(Tcl_GetChannelType(downChan)); + if (getOptionProc != NULL) { + return (*getOptionProc)(Tcl_GetChannelInstanceData(downChan), interp, optionName, dsPtr); + } else if (optionName == (char*) NULL) { + /* + * Request is query for all options, this is ok. + */ + return TCL_OK; + } + /* + * Request for a specific option has to fail, we don't have any. + */ + return TCL_ERROR; +} + +/* + *------------------------------------------------------------------- + * + * TlsWatchProc -- + * + * Initialize the notifier to watch Tcl_Files from this channel. + * + * Results: + * None. + * + * Side effects: + * Sets up the notifier so that a future event on the channel + * will be seen by Tcl. + * + *------------------------------------------------------------------- + */ + +static void +TlsWatchProc(void *instanceData, /* The socket state. */ + int mask) /* Events of interest; an OR-ed + * combination of TCL_READABLE, + * TCL_WRITABLE and TCL_EXCEPTION. */ +{ + Tcl_Channel downChan; + State *statePtr = (State *) instanceData; + + dprintf("TlsWatchProc(0x%x)", mask); + + /* Pretend to be dead as long as the verify callback is running. + * Otherwise that callback could be invoked recursively. */ + if (statePtr->flags & TLS_TCL_CALLBACK) { + dprintf("Callback is on-going, doing nothing"); + return; + } + + dprintFlags(statePtr); + + downChan = Tls_GetParent(statePtr, TLS_TCL_FASTPATH); + + if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) { + dprintf("Asked to watch a socket with a failed handshake -- nothing can happen here"); + + dprintf("Unregistering interest in the lower channel"); + (Tcl_GetChannelType(downChan))->watchProc(Tcl_GetChannelInstanceData(downChan), 0); + + statePtr->watchMask = 0; + + return; + } + + statePtr->watchMask = mask; + + /* No channel handlers any more. We will be notified automatically + * about events on the channel below via a call to our + * 'TransformNotifyProc'. But we have to pass the interest down now. + * We are allowed to add additional 'interest' to the mask if we want + * to. But this transformation has no such interest. It just passes + * the request down, unchanged. + */ + + + dprintf("Registering our interest in the lower channel (chan=%p)", (void *) downChan); + (Tcl_GetChannelType(downChan)) + ->watchProc(Tcl_GetChannelInstanceData(downChan), mask); + + /* + * Management of the internal timer. + */ + + if (statePtr->timer != (Tcl_TimerToken) NULL) { + dprintf("A timer was found, deleting it"); + Tcl_DeleteTimerHandler(statePtr->timer); + statePtr->timer = (Tcl_TimerToken) NULL; + } + + if (mask & TCL_READABLE) { + if (Tcl_InputBuffered(statePtr->self) > 0 || BIO_ctrl_pending(statePtr->bio) > 0) { + /* + * There is interest in readable events and we actually have + * data waiting, so generate a timer to flush that. + */ + dprintf("Creating a new timer since data appears to be waiting"); + statePtr->timer = Tcl_CreateTimerHandler(TLS_TCL_DELAY, TlsChannelHandlerTimer, statePtr); + } + } +} + +/* + *------------------------------------------------------------------- + * + * TlsGetHandleProc -- + * + * Called from Tcl_GetChannelFile to retrieve o/s file handler + * from the SSL socket based channel. + * + * Results: + * The appropriate Tcl_File or NULL if not present. + * + * Side effects: + * None. + * + *------------------------------------------------------------------- + */ +static int TlsGetHandleProc(void *instanceData, int direction, void **handlePtr) { + State *statePtr = (State *) instanceData; + + return(Tcl_GetChannelHandle(Tls_GetParent(statePtr, TLS_TCL_FASTPATH), direction, handlePtr)); +} + +/* + *------------------------------------------------------------------- + * + * TlsNotifyProc -- + * + * Handler called by Tcl to inform us of activity + * on the underlying channel. + * + * Results: + * None. + * + * Side effects: + * May process the incoming event by itself. + * + *------------------------------------------------------------------- + */ + +static int TlsNotifyProc(void *instanceData, int mask) { + State *statePtr = (State *) instanceData; + int errorCode; + + /* + * An event occured in the underlying channel. This + * transformation doesn't process such events thus returns the + * incoming mask unchanged. + */ + if (statePtr->timer != (Tcl_TimerToken) NULL) { + /* + * Delete an existing timer. It was not fired, yet we are + * here, so the channel below generated such an event and we + * don't have to. The renewal of the interest after the + * execution of channel handlers will eventually cause us to + * recreate the timer (in WatchProc). + */ + Tcl_DeleteTimerHandler(statePtr->timer); + statePtr->timer = (Tcl_TimerToken) NULL; + } + + if (statePtr->flags & TLS_TCL_CALLBACK) { + dprintf("Returning 0 due to callback"); + return 0; + } + + dprintf("Calling Tls_WaitForConnect"); + errorCode = 0; + if (Tls_WaitForConnect(statePtr, &errorCode, 1) < 0) { + if (errorCode == EAGAIN) { + dprintf("Async flag could be set (didn't check) and errorCode == EAGAIN: Returning 0"); + + return 0; + } + + dprintf("Tls_WaitForConnect returned an error"); + } + + dprintf("Returning %i", mask); + + return(mask); +} + +#if 0 +/* + *------------------------------------------------------* + * + * TlsChannelHandler -- + * + * ------------------------------------------------* + * Handler called by Tcl as a result of + * Tcl_CreateChannelHandler - to inform us of activity + * on the underlying channel. + * ------------------------------------------------* + * + * Sideeffects: + * May generate subsequent calls to + * Tcl_NotifyChannel. + * + * Result: + * None. + * + *------------------------------------------------------* + */ + +static void +TlsChannelHandler (clientData, mask) + void * clientData; + int mask; +{ + State *statePtr = (State *) clientData; + + dprintf("HANDLER(0x%x)", mask); + Tcl_Preserve(statePtr); + + if (mask & TCL_READABLE) { + BIO_set_flags(statePtr->p_bio, BIO_FLAGS_READ); + } else { + BIO_clear_flags(statePtr->p_bio, BIO_FLAGS_READ); + } + + if (mask & TCL_WRITABLE) { + BIO_set_flags(statePtr->p_bio, BIO_FLAGS_WRITE); + } else { + BIO_clear_flags(statePtr->p_bio, BIO_FLAGS_WRITE); + } + + mask = 0; + if (BIO_wpending(statePtr->bio)) { + mask |= TCL_WRITABLE; + } + if (BIO_pending(statePtr->bio)) { + mask |= TCL_READABLE; + } + + /* + * The following NotifyChannel calls seems to be important, but + * we don't know why. It looks like if the mask is ever non-zero + * that it will enter an infinite loop. + * + * Notify the upper channel of the current BIO state so the event + * continues to propagate up the chain. + * + * stanton: It looks like this could result in an infinite loop if + * the upper channel doesn't cause ChannelHandler to be removed + * before Tcl_NotifyChannel calls channel handlers on the lower channel. + */ + + Tcl_NotifyChannel(statePtr->self, mask); + + if (statePtr->timer != (Tcl_TimerToken)NULL) { + Tcl_DeleteTimerHandler(statePtr->timer); + statePtr->timer = (Tcl_TimerToken)NULL; + } + if ((mask & TCL_READABLE) && Tcl_InputBuffered(statePtr->self) > 0) { + /* + * Data is waiting, flush it out in short time + */ + statePtr->timer = Tcl_CreateTimerHandler(TLS_TCL_DELAY, + TlsChannelHandlerTimer, statePtr); + } + Tcl_Release(statePtr); +} +#endif + +/* + *------------------------------------------------------* + * + * TlsChannelHandlerTimer -- + * + * ------------------------------------------------* + * Called by the notifier (-> timer) to flush out + * information waiting in channel buffers. + * ------------------------------------------------* + * + * Sideeffects: + * As of 'TlsChannelHandler'. + * + * Result: + * None. + * + *------------------------------------------------------* + */ + +static void TlsChannelHandlerTimer(void *clientData) { + State *statePtr = (State *) clientData; + int mask = 0; + + dprintf("Called"); + + statePtr->timer = (Tcl_TimerToken) NULL; + + if (BIO_wpending(statePtr->bio)) { + dprintf("[chan=%p] BIO writable", statePtr->self); + + mask |= TCL_WRITABLE; + } + + if (BIO_pending(statePtr->bio)) { + dprintf("[chan=%p] BIO readable", statePtr->self); + + mask |= TCL_READABLE; + } + + dprintf("Notifying ourselves"); + Tcl_NotifyChannel(statePtr->self, mask); + + dprintf("Returning"); + + return; +} + +Tcl_Channel Tls_GetParent(State *statePtr, int maskFlags) { + dprintf("Requested to get parent of channel %p", statePtr->self); + + if ((statePtr->flags & ~maskFlags) & TLS_TCL_FASTPATH) { + dprintf("Asked to get the parent channel while we are using FastPath -- returning NULL"); + return(NULL); + } + + return(Tcl_GetStackedChannel(statePtr->self)); +} ADDED generic/tlsInt.h Index: generic/tlsInt.h ================================================================== --- /dev/null +++ generic/tlsInt.h @@ -0,0 +1,198 @@ +/* + * Copyright (C) 1997-2000 Matt Newman + * + * TLS (aka SSL) Channel - can be layered on any bi-directional + * Tcl_Channel (Note: Requires Trf Core Patch) + * + * This was built from scratch based upon observation of OpenSSL 0.9.2B + * + * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for + * providing the Tcl_ReplaceChannel mechanism and working closely with me + * to enhance it to support full fileevent semantics. + * + * Also work done by the follow people provided the impetus to do this "right":- + * tclSSL (Colin McCormack, Shared Technology) + * SSLtcl (Peter Antman) + * + */ +#ifndef _TLSINT_H +#define _TLSINT_H + +#include "tls.h" +#include +#include +#include + +#ifdef __WIN32__ +#define WIN32_LEAN_AND_MEAN +#include +#include /* OpenSSL needs this on Windows */ +#endif + +#ifdef NO_PATENTS +# define NO_IDEA +# define NO_RC2 +# define NO_RC4 +# define NO_RC5 +# define NO_RSA +# ifndef NO_SSL2 +# define NO_SSL2 +# endif +#endif + +#include +#include +#include +#include + +/* + * Determine if we should use the pre-OpenSSL 1.1.0 API + */ +#undef TCLTLS_OPENSSL_PRE_1_1 +#if (defined(LIBRESSL_VERSION_NUMBER)) || OPENSSL_VERSION_NUMBER < 0x10100000L +# define TCLTLS_OPENSSL_PRE_1_1_API 1 +#endif + +#ifndef ECONNABORTED +#define ECONNABORTED 130 /* Software caused connection abort */ +#endif +#ifndef ECONNRESET +#define ECONNRESET 131 /* Connection reset by peer */ +#endif + +#ifdef TCLEXT_TCLTLS_DEBUG +#include +#define dprintf(...) { \ + char dprintfBuffer[8192], *dprintfBuffer_p; \ + dprintfBuffer_p = &dprintfBuffer[0]; \ + dprintfBuffer_p += sprintf(dprintfBuffer_p, "%s:%i:%s():", __FILE__, __LINE__, __func__); \ + dprintfBuffer_p += sprintf(dprintfBuffer_p, __VA_ARGS__); \ + fprintf(stderr, "%s\n", dprintfBuffer); \ + } +#define dprintBuffer(bufferName, bufferLength) { \ + int dprintBufferIdx; \ + unsigned char dprintBufferChar; \ + fprintf(stderr, "%s:%i:%s():%s[%llu]={", __FILE__, __LINE__, __func__, #bufferName, (unsigned long long) bufferLength); \ + for (dprintBufferIdx = 0; dprintBufferIdx < bufferLength; dprintBufferIdx++) { \ + dprintBufferChar = bufferName[dprintBufferIdx]; \ + if (isalpha(dprintBufferChar) || isdigit(dprintBufferChar)) { \ + fprintf(stderr, "'%c' ", dprintBufferChar); \ + } else { \ + fprintf(stderr, "%02x ", (unsigned int) dprintBufferChar); \ + }; \ + }; \ + fprintf(stderr, "}\n"); \ + } +#define dprintFlags(statePtr) { \ + char dprintfBuffer[8192], *dprintfBuffer_p; \ + dprintfBuffer_p = &dprintfBuffer[0]; \ + dprintfBuffer_p += sprintf(dprintfBuffer_p, "%s:%i:%s():%s->flags=0", __FILE__, __LINE__, __func__, #statePtr); \ + if (((statePtr)->flags & TLS_TCL_ASYNC) == TLS_TCL_ASYNC) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_ASYNC"); }; \ + if (((statePtr)->flags & TLS_TCL_SERVER) == TLS_TCL_SERVER) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_SERVER"); }; \ + if (((statePtr)->flags & TLS_TCL_INIT) == TLS_TCL_INIT) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_INIT"); }; \ + if (((statePtr)->flags & TLS_TCL_DEBUG) == TLS_TCL_DEBUG) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_DEBUG"); }; \ + if (((statePtr)->flags & TLS_TCL_CALLBACK) == TLS_TCL_CALLBACK) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_CALLBACK"); }; \ + if (((statePtr)->flags & TLS_TCL_HANDSHAKE_FAILED) == TLS_TCL_HANDSHAKE_FAILED) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_HANDSHAKE_FAILED"); }; \ + if (((statePtr)->flags & TLS_TCL_FASTPATH) == TLS_TCL_FASTPATH) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_FASTPATH"); }; \ + fprintf(stderr, "%s\n", dprintfBuffer); \ + } +#else +#define dprintf(...) if (0) { fprintf(stderr, __VA_ARGS__); } +#define dprintBuffer(bufferName, bufferLength) /**/ +#define dprintFlags(statePtr) /**/ +#endif + +#define TCLTLS_SSL_ERROR(ssl,err) ((char*)ERR_reason_error_string((unsigned long)SSL_get_error((ssl),(err)))) +/* + * OpenSSL BIO Routines + */ +#define BIO_TYPE_TCL (19|0x0400) + +/* + * Defines for State.flags + */ +#define TLS_TCL_ASYNC (1<<0) /* non-blocking mode */ +#define TLS_TCL_SERVER (1<<1) /* Server-Side */ +#define TLS_TCL_INIT (1<<2) /* Initializing connection */ +#define TLS_TCL_DEBUG (1<<3) /* Show debug tracing */ +#define TLS_TCL_CALLBACK (1<<4) /* In a callback, prevent update + * looping problem. [Bug 1652380] */ +#define TLS_TCL_HANDSHAKE_FAILED (1<<5) /* Set on handshake failures and once + * set, all further I/O will result + * in ECONNABORTED errors. */ +#define TLS_TCL_FASTPATH (1<<6) /* The parent channel is being used directly by the SSL library */ +#define TLS_TCL_DELAY (5) + +/* + * This structure describes the per-instance state + * of an ssl channel. + * + * The SSL processing context is maintained here, in the ClientData + */ +typedef struct State { + Tcl_Channel self; /* this socket channel */ + Tcl_TimerToken timer; + + int flags; /* see State.flags above */ + int watchMask; /* current WatchProc mask */ + int mode; /* current mode of parent channel */ + + Tcl_Interp *interp; /* interpreter in which this resides */ + Tcl_Obj *callback; /* script called for tracing, verifying and errors */ + Tcl_Obj *password; /* script called for certificate password */ + + int vflags; /* verify flags */ + SSL *ssl; /* Struct for SSL processing */ + SSL_CTX *ctx; /* SSL Context */ + BIO *bio; /* Struct for SSL processing */ + BIO *p_bio; /* Parent BIO (that is layered on Tcl_Channel) */ + + const char *err; +} State; + +#ifdef USE_TCL_STUBS +#ifndef Tcl_StackChannel +#error "Unable to compile on this version of Tcl" +#endif /* Tcl_GetStackedChannel */ +#endif /* USE_TCL_STUBS */ + +#ifndef JOIN +# define JOIN(a,b) JOIN1(a,b) +# define JOIN1(a,b) a##b +#endif + +#ifndef TCL_UNUSED +# if defined(__cplusplus) +# define TCL_UNUSED(T) T +# elif defined(__GNUC__) && (__GNUC__ > 2) +# define TCL_UNUSED(T) T JOIN(dummy, __LINE__) __attribute__((unused)) +# else +# define TCL_UNUSED(T) T JOIN(dummy, __LINE__) +# endif +#endif + +#if (TCL_MAJOR_VERSION < 9) && defined(TCL_MINOR_VERSION) && (TCL_MINOR_VERSION < 7) && !defined(Tcl_Size) +# define Tcl_Size int +#endif + +/* + * Forward declarations + */ +const Tcl_ChannelType *Tls_ChannelType(void); +Tcl_Channel Tls_GetParent(State *statePtr, int maskFlags); + +Tcl_Obj *Tls_NewX509Obj(Tcl_Interp *interp, X509 *cert); +void Tls_Error(State *statePtr, char *msg); +#if TCL_MAJOR_VERSION > 8 +void Tls_Free(void *blockPtr); +#else +void Tls_Free(char *blockPtr); +#endif +void Tls_Clean(State *statePtr); +int Tls_WaitForConnect(State *statePtr, int *errorCodePtr, int handshakeFailureIsPermanent); + +BIO *BIO_new_tcl(State* statePtr, int flags); + +#define PTR2INT(x) ((int) ((intptr_t) (x))) + +#endif /* _TLSINT_H */ ADDED generic/tlsX509.c Index: generic/tlsX509.c ================================================================== --- /dev/null +++ generic/tlsX509.c @@ -0,0 +1,209 @@ +/* + * Copyright (C) 1997-2000 Sensus Consulting Ltd. + * Matt Newman + */ +#include "tlsInt.h" + +/* + * Ensure these are not macros - known to be defined on Win32 + */ +#ifdef min +#undef min +#endif + +#ifdef max +#undef max +#endif + +static int min(int a, int b) +{ + return (a < b) ? a : b; +} + +static int max(int a, int b) +{ + return (a > b) ? a : b; +} + +/* + * ASN1_UTCTIME_tostr -- + */ +static char * +ASN1_UTCTIME_tostr(ASN1_UTCTIME *tm) +{ + static char bp[128]; + char *v; + int gmt=0; + static char *mon[12]={ + "Jan","Feb","Mar","Apr","May","Jun", + "Jul","Aug","Sep","Oct","Nov","Dec"}; + int i; + int y=0,M=0,d=0,h=0,m=0,s=0; + + i=tm->length; + v=(char *)tm->data; + + if (i < 10) goto err; + if (v[i-1] == 'Z') gmt=1; + for (i=0; i<10; i++) + if ((v[i] > '9') || (v[i] < '0')) goto err; + y= (v[0]-'0')*10+(v[1]-'0'); + if (y < 70) y+=100; + M= (v[2]-'0')*10+(v[3]-'0'); + if ((M > 12) || (M < 1)) goto err; + d= (v[4]-'0')*10+(v[5]-'0'); + h= (v[6]-'0')*10+(v[7]-'0'); + m= (v[8]-'0')*10+(v[9]-'0'); + if ( (v[10] >= '0') && (v[10] <= '9') && + (v[11] >= '0') && (v[11] <= '9')) + s= (v[10]-'0')*10+(v[11]-'0'); + + sprintf(bp,"%s %2d %02d:%02d:%02d %d%s", + mon[M-1],d,h,m,s,y+1900,(gmt)?" GMT":""); + return bp; + err: + return "Bad time value"; +} + +/* + *------------------------------------------------------* + * + * Tls_NewX509Obj -- + * + * ------------------------------------------------* + * Converts a X509 certificate into a Tcl_Obj + * ------------------------------------------------* + * + * Sideeffects: + * None + * + * Result: + * A Tcl List Object representing the provided + * X509 certificate. + * + *------------------------------------------------------* + */ + +#define CERT_STR_SIZE 16384 + +Tcl_Obj* +Tls_NewX509Obj( interp, cert) + Tcl_Interp *interp; + X509 *cert; +{ + Tcl_Obj *certPtr = Tcl_NewListObj( 0, NULL); + BIO *bio; + int n; + unsigned long flags; + char subject[BUFSIZ]; + char issuer[BUFSIZ]; + char serial[BUFSIZ]; + char notBefore[BUFSIZ]; + char notAfter[BUFSIZ]; + char certStr[CERT_STR_SIZE], *certStr_p; + int certStr_len, toRead; +#ifndef NO_SSL_SHA + int shai; + char sha_hash_ascii[SHA_DIGEST_LENGTH * 2 + 1]; + unsigned char sha_hash_binary[SHA_DIGEST_LENGTH]; + const char *shachars="0123456789ABCDEF"; + + sha_hash_ascii[SHA_DIGEST_LENGTH * 2] = '\0'; +#endif + + certStr[0] = 0; + if ((bio = BIO_new(BIO_s_mem())) == NULL) { + subject[0] = 0; + issuer[0] = 0; + serial[0] = 0; + } else { + flags = XN_FLAG_RFC2253 | ASN1_STRFLGS_UTF8_CONVERT; + flags &= ~ASN1_STRFLGS_ESC_MSB; + + X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, flags); + n = BIO_read(bio, subject, min(BIO_pending(bio), BUFSIZ - 1)); + n = max(n, 0); + subject[n] = 0; + (void)BIO_flush(bio); + + X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0, flags); + n = BIO_read(bio, issuer, min(BIO_pending(bio), BUFSIZ - 1)); + n = max(n, 0); + issuer[n] = 0; + (void)BIO_flush(bio); + + i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)); + n = BIO_read(bio, serial, min(BIO_pending(bio), BUFSIZ - 1)); + n = max(n, 0); + serial[n] = 0; + (void)BIO_flush(bio); + + if (PEM_write_bio_X509(bio, cert)) { + certStr_p = certStr; + certStr_len = 0; + while (1) { + toRead = min(BIO_pending(bio), CERT_STR_SIZE - certStr_len - 1); + toRead = min(toRead, BUFSIZ); + if (toRead == 0) { + break; + } + dprintf("Reading %i bytes from the certificate...", toRead); + n = BIO_read(bio, certStr_p, toRead); + if (n <= 0) { + break; + } + certStr_len += n; + certStr_p += n; + } + *certStr_p = '\0'; + (void)BIO_flush(bio); + } + + BIO_free(bio); + } + + strcpy( notBefore, ASN1_UTCTIME_tostr( X509_get_notBefore(cert) )); + strcpy( notAfter, ASN1_UTCTIME_tostr( X509_get_notAfter(cert) )); + +#ifndef NO_SSL_SHA + X509_digest(cert, EVP_sha1(), sha_hash_binary, NULL); + for (shai = 0; shai < SHA_DIGEST_LENGTH; shai++) { + sha_hash_ascii[shai * 2] = shachars[(sha_hash_binary[shai] & 0xF0) >> 4]; + sha_hash_ascii[shai * 2 + 1] = shachars[(sha_hash_binary[shai] & 0x0F)]; + } + Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj("sha1_hash", -1) ); + Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj(sha_hash_ascii, SHA_DIGEST_LENGTH * 2) ); + +#endif + Tcl_ListObjAppendElement( interp, certPtr, + Tcl_NewStringObj( "subject", -1) ); + Tcl_ListObjAppendElement( interp, certPtr, + Tcl_NewStringObj( subject, -1) ); + + Tcl_ListObjAppendElement( interp, certPtr, + Tcl_NewStringObj( "issuer", -1) ); + Tcl_ListObjAppendElement( interp, certPtr, + Tcl_NewStringObj( issuer, -1) ); + + Tcl_ListObjAppendElement( interp, certPtr, + Tcl_NewStringObj( "notBefore", -1) ); + Tcl_ListObjAppendElement( interp, certPtr, + Tcl_NewStringObj( notBefore, -1) ); + + Tcl_ListObjAppendElement( interp, certPtr, + Tcl_NewStringObj( "notAfter", -1) ); + Tcl_ListObjAppendElement( interp, certPtr, + Tcl_NewStringObj( notAfter, -1) ); + + Tcl_ListObjAppendElement( interp, certPtr, + Tcl_NewStringObj( "serial", -1) ); + Tcl_ListObjAppendElement( interp, certPtr, + Tcl_NewStringObj( serial, -1) ); + + Tcl_ListObjAppendElement( interp, certPtr, + Tcl_NewStringObj( "certificate", -1) ); + Tcl_ListObjAppendElement( interp, certPtr, + Tcl_NewStringObj( certStr, -1) ); + + return certPtr; +} DELETED tclOpts.h Index: tclOpts.h ================================================================== --- tclOpts.h +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright (C) 1997-2000 Matt Newman - * - * Stylized option processing - requires consitent - * external vars: opt, idx, objc, objv - */ -#ifndef _TCL_OPTS_H -#define _TCL_OPTS_H - -#define OPT_PROLOG(option) \ - if (strcmp(opt, (option)) == 0) { \ - if (++idx >= objc) { \ - Tcl_AppendResult(interp, \ - "no argument given for ", \ - (option), " option", \ - (char *) NULL); \ - return TCL_ERROR; \ - } -#define OPT_POSTLOG() \ - continue; \ - } -#define OPTOBJ(option, var) \ - OPT_PROLOG(option) \ - var = objv[idx]; \ - OPT_POSTLOG() - -#define OPTSTR(option, var) \ - OPT_PROLOG(option) \ - var = Tcl_GetString(objv[idx]);\ - OPT_POSTLOG() - -#define OPTINT(option, var) \ - OPT_PROLOG(option) \ - if (Tcl_GetIntFromObj(interp, objv[idx], \ - &(var)) != TCL_OK) { \ - return TCL_ERROR; \ - } \ - OPT_POSTLOG() - -#define OPTBOOL(option, var) \ - OPT_PROLOG(option) \ - if (Tcl_GetBooleanFromObj(interp, objv[idx],\ - &(var)) != TCL_OK) { \ - return TCL_ERROR; \ - } \ - OPT_POSTLOG() - -#define OPTBYTE(option, var, lvar) \ - OPT_PROLOG(option) \ - var = Tcl_GetByteArrayFromObj(objv[idx], &(lvar));\ - OPT_POSTLOG() - -#define OPTBAD(type, list) \ - Tcl_AppendResult(interp, "bad ", (type), \ - " \"", opt, "\": must be ", \ - (list), (char *) NULL) - -#endif /* _TCL_OPTS_H */ DELETED tls.c Index: tls.c ================================================================== --- tls.c +++ /dev/null @@ -1,1947 +0,0 @@ -/* - * Copyright (C) 1997-1999 Matt Newman - * some modifications: - * Copyright (C) 2000 Ajuba Solutions - * Copyright (C) 2002 ActiveState Corporation - * Copyright (C) 2004 Starfish Systems - * - * TLS (aka SSL) Channel - can be layered on any bi-directional - * Tcl_Channel (Note: Requires Trf Core Patch) - * - * This was built (almost) from scratch based upon observation of - * OpenSSL 0.9.2B - * - * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for - * providing the Tcl_ReplaceChannel mechanism and working closely with me - * to enhance it to support full fileevent semantics. - * - * Also work done by the follow people provided the impetus to do this "right": - * tclSSL (Colin McCormack, Shared Technology) - * SSLtcl (Peter Antman) - * - */ - -#include "tlsInt.h" -#include "tclOpts.h" -#include - -/* - * External functions - */ - -/* - * Forward declarations - */ - -#define F2N( key, dsp) \ - (((key) == NULL) ? (char *) NULL : \ - Tcl_TranslateFileName(interp, (key), (dsp))) -#define REASON() ERR_reason_error_string(ERR_get_error()) - -static void InfoCallback(const SSL *ssl, int where, int ret); - -static Tcl_ObjCmdProc CiphersObjCmd; -static Tcl_ObjCmdProc HandshakeObjCmd; -static Tcl_ObjCmdProc ImportObjCmd; -static Tcl_ObjCmdProc StatusObjCmd; -static Tcl_ObjCmdProc VersionObjCmd; -static Tcl_ObjCmdProc MiscObjCmd; -static Tcl_ObjCmdProc UnimportObjCmd; - -static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key, - char *certfile, unsigned char *key_asn1, unsigned char *cert_asn1, - int key_asn1_len, int cert_asn1_len, char *CAdir, char *CAfile, - char *ciphers, char *DHparams); - -static int TlsLibInit(int uninitialize); - -#define TLS_PROTO_SSL2 0x01 -#define TLS_PROTO_SSL3 0x02 -#define TLS_PROTO_TLS1 0x04 -#define TLS_PROTO_TLS1_1 0x08 -#define TLS_PROTO_TLS1_2 0x10 -#define TLS_PROTO_TLS1_3 0x20 -#define ENABLED(flag, mask) (((flag) & (mask)) == (mask)) - -/* - * Static data structures - */ - -#ifndef OPENSSL_NO_DH -#include "dh_params.h" -#endif - -/* - * We lose the tcl password callback when we use the RSA BSAFE SSL-C 1.1.2 - * libraries instead of the current OpenSSL libraries. - */ - -#ifdef BSAFE -#define PRE_OPENSSL_0_9_4 1 -#endif - -/* - * Pre OpenSSL 0.9.4 Compat - */ - -#ifndef STACK_OF -#define STACK_OF(x) STACK -#define sk_SSL_CIPHER_num(sk) sk_num((sk)) -#define sk_SSL_CIPHER_value( sk, index) (SSL_CIPHER*)sk_value((sk), (index)) -#endif - -/* - * Thread-Safe TLS Code - */ - -#ifdef TCL_THREADS -#define OPENSSL_THREAD_DEFINES -#include - -#ifdef OPENSSL_THREADS -#include - -/* - * Threaded operation requires locking callbacks - * Based from /crypto/cryptlib.c of OpenSSL and NSOpenSSL. - */ - -static Tcl_Mutex *locks = NULL; -static int locksCount = 0; -static Tcl_Mutex init_mx; - -void CryptoThreadLockCallback(int mode, int n, const char *file, int line) { - - if (mode & CRYPTO_LOCK) { - /* This debugging is turned off by default -- it's too noisy. */ - /* dprintf("Called to lock (n=%i of %i)", n, locksCount); */ - Tcl_MutexLock(&locks[n]); - } else { - /* dprintf("Called to unlock (n=%i of %i)", n, locksCount); */ - Tcl_MutexUnlock(&locks[n]); - } - - /* dprintf("Returning"); */ - - return; - file = file; - line = line; -} - -unsigned long CryptoThreadIdCallback(void) { - unsigned long ret; - - dprintf("Called"); - - ret = (unsigned long) Tcl_GetCurrentThread(); - - dprintf("Returning %lu", ret); - - return(ret); -} -#endif /* OPENSSL_THREADS */ -#endif /* TCL_THREADS */ - - -/* - *------------------------------------------------------------------- - * - * InfoCallback -- - * - * monitors SSL connection process - * - * Results: - * None - * - * Side effects: - * Calls callback (if defined) - *------------------------------------------------------------------- - */ -static void -InfoCallback(const SSL *ssl, int where, int ret) -{ - State *statePtr = (State*)SSL_get_app_data((SSL *)ssl); - Tcl_Obj *cmdPtr; - const char *major, *minor; - - dprintf("Called"); - - if (statePtr->callback == (Tcl_Obj*)NULL) - return; - - cmdPtr = Tcl_DuplicateObj(statePtr->callback); - -#if 0 - if (where & SSL_CB_ALERT) { - sev = SSL_alert_type_string_long(ret); - if (strcmp( sev, "fatal")==0) { /* Map to error */ - Tls_Error(statePtr, SSL_ERROR(ssl, 0)); - return; - } - } -#endif - if (where & SSL_CB_HANDSHAKE_START) { - major = "handshake"; - minor = "start"; - } else if (where & SSL_CB_HANDSHAKE_DONE) { - major = "handshake"; - minor = "done"; - } else { - if (where & SSL_CB_ALERT) major = "alert"; - else if (where & SSL_ST_CONNECT) major = "connect"; - else if (where & SSL_ST_ACCEPT) major = "accept"; - else major = "unknown"; - - if (where & SSL_CB_READ) minor = "read"; - else if (where & SSL_CB_WRITE) minor = "write"; - else if (where & SSL_CB_LOOP) minor = "loop"; - else if (where & SSL_CB_EXIT) minor = "exit"; - else minor = "unknown"; - } - - Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, - Tcl_NewStringObj( "info", -1)); - - Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, - Tcl_NewStringObj( Tcl_GetChannelName(statePtr->self), -1) ); - - Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, - Tcl_NewStringObj( major, -1) ); - - Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, - Tcl_NewStringObj( minor, -1) ); - - if (where & (SSL_CB_LOOP|SSL_CB_EXIT)) { - Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, - Tcl_NewStringObj( SSL_state_string_long(ssl), -1) ); - } else if (where & SSL_CB_ALERT) { - const char *cp = (char *) SSL_alert_desc_string_long(ret); - - Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, - Tcl_NewStringObj( cp, -1) ); - } else { - Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, - Tcl_NewStringObj( SSL_state_string_long(ssl), -1) ); - } - Tcl_Preserve( (ClientData) statePtr->interp); - Tcl_Preserve( (ClientData) statePtr); - - Tcl_IncrRefCount( cmdPtr); - (void) Tcl_EvalObjEx(statePtr->interp, cmdPtr, TCL_EVAL_GLOBAL); - Tcl_DecrRefCount( cmdPtr); - - Tcl_Release( (ClientData) statePtr); - Tcl_Release( (ClientData) statePtr->interp); - -} - -/* - *------------------------------------------------------------------- - * - * VerifyCallback -- - * - * Monitors SSL certificate validation process. - * This is called whenever a certificate is inspected - * or decided invalid. - * - * Results: - * A callback bound to the socket may return one of: - * 0 - the certificate is deemed invalid - * 1 - the certificate is deemed valid - * empty string - no change to certificate validation - * - * Side effects: - * The err field of the currently operative State is set - * to a string describing the SSL negotiation failure reason - *------------------------------------------------------------------- - */ -static int -VerifyCallback(int ok, X509_STORE_CTX *ctx) -{ - Tcl_Obj *cmdPtr, *result; - char *errStr, *string; - Tcl_Size length; - SSL *ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); - X509 *cert = X509_STORE_CTX_get_current_cert(ctx); - State *statePtr = (State*)SSL_get_app_data(ssl); - int depth = X509_STORE_CTX_get_error_depth(ctx); - int err = X509_STORE_CTX_get_error(ctx); - - dprintf("Verify: %d", ok); - - if (!ok) { - errStr = (char*)X509_verify_cert_error_string(err); - } else { - errStr = (char *)0; - } - - if (statePtr->callback == (Tcl_Obj*)NULL) { - if (statePtr->vflags & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { - return ok; - } else { - return 1; - } - } - cmdPtr = Tcl_DuplicateObj(statePtr->callback); - - Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, - Tcl_NewStringObj( "verify", -1)); - - Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, - Tcl_NewStringObj( Tcl_GetChannelName(statePtr->self), -1) ); - - Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, - Tcl_NewIntObj( depth) ); - - Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, - Tls_NewX509Obj( statePtr->interp, cert) ); - - Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, - Tcl_NewIntObj( ok) ); - - Tcl_ListObjAppendElement( statePtr->interp, cmdPtr, - Tcl_NewStringObj( errStr ? errStr : "", -1) ); - - Tcl_Preserve( (ClientData) statePtr->interp); - Tcl_Preserve( (ClientData) statePtr); - - statePtr->flags |= TLS_TCL_CALLBACK; - - Tcl_IncrRefCount( cmdPtr); - if (Tcl_EvalObjEx(statePtr->interp, cmdPtr, TCL_EVAL_GLOBAL) != TCL_OK) { - /* It got an error - reject the certificate. */ - Tcl_BackgroundError( statePtr->interp); - ok = 0; - } else { - result = Tcl_GetObjResult(statePtr->interp); - string = Tcl_GetStringFromObj(result, &length); - /* An empty result leaves verification unchanged. */ - if (string != NULL && length > 0) { - if (Tcl_GetIntFromObj(statePtr->interp, result, &ok) != TCL_OK) { - Tcl_BackgroundError(statePtr->interp); - ok = 0; - } - } - } - Tcl_DecrRefCount( cmdPtr); - - statePtr->flags &= ~(TLS_TCL_CALLBACK); - - Tcl_Release( (ClientData) statePtr); - Tcl_Release( (ClientData) statePtr->interp); - - return(ok); /* By default, leave verification unchanged. */ -} - -/* - *------------------------------------------------------------------- - * - * Tls_Error -- - * - * Calls callback with $fd and $msg - so the callback can decide - * what to do with errors. - * - * Side effects: - * The err field of the currently operative State is set - * to a string describing the SSL negotiation failure reason - *------------------------------------------------------------------- - */ -void -Tls_Error(State *statePtr, char *msg) -{ - Tcl_Obj *cmdPtr; - - dprintf("Called"); - - if (msg && *msg) { - Tcl_SetErrorCode(statePtr->interp, "SSL", msg, (char *)NULL); - } else { - msg = Tcl_GetString(Tcl_GetObjResult(statePtr->interp)); - } - statePtr->err = msg; - - if (statePtr->callback == (Tcl_Obj*)NULL) { - char buf[BUFSIZ]; - sprintf(buf, "SSL channel \"%s\": error: %s", - Tcl_GetChannelName(statePtr->self), msg); - Tcl_SetResult( statePtr->interp, buf, TCL_VOLATILE); - Tcl_BackgroundError( statePtr->interp); - return; - } - cmdPtr = Tcl_DuplicateObj(statePtr->callback); - - Tcl_ListObjAppendElement(statePtr->interp, cmdPtr, - Tcl_NewStringObj("error", -1)); - - Tcl_ListObjAppendElement(statePtr->interp, cmdPtr, - Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); - - Tcl_ListObjAppendElement(statePtr->interp, cmdPtr, - Tcl_NewStringObj(msg, -1)); - - Tcl_Preserve((ClientData) statePtr->interp); - Tcl_Preserve((ClientData) statePtr); - - Tcl_IncrRefCount(cmdPtr); - if (Tcl_EvalObjEx(statePtr->interp, cmdPtr, TCL_EVAL_GLOBAL) != TCL_OK) { - Tcl_BackgroundError(statePtr->interp); - } - Tcl_DecrRefCount(cmdPtr); - - Tcl_Release((ClientData) statePtr); - Tcl_Release((ClientData) statePtr->interp); -} - -/* - *------------------------------------------------------------------- - * - * PasswordCallback -- - * - * Called when a password is needed to unpack RSA and PEM keys. - * Evals any bound password script and returns the result as - * the password string. - *------------------------------------------------------------------- - */ -#ifdef PRE_OPENSSL_0_9_4 -/* - * No way to handle user-data therefore no way without a global - * variable to access the Tcl interpreter. -*/ -static int -PasswordCallback(char *buf, int size, int verify) -{ - return -1; - buf = buf; - size = size; - verify = verify; -} -#else -static int -PasswordCallback(char *buf, int size, int verify, void *udata) -{ - State *statePtr = (State *) udata; - Tcl_Interp *interp = statePtr->interp; - Tcl_Obj *cmdPtr; - int result; - - dprintf("Called"); - - if (statePtr->password == NULL) { - if (Tcl_EvalEx(interp, "tls::password", -1, TCL_EVAL_GLOBAL) - == TCL_OK) { - char *ret = (char *) Tcl_GetStringResult(interp); - strncpy(buf, ret, (size_t) size); - return (int)strlen(ret); - } else { - return -1; - } - } - - cmdPtr = Tcl_DuplicateObj(statePtr->password); - - Tcl_Preserve((ClientData) statePtr->interp); - Tcl_Preserve((ClientData) statePtr); - - Tcl_IncrRefCount(cmdPtr); - result = Tcl_EvalObjEx(interp, cmdPtr, TCL_EVAL_GLOBAL); - if (result != TCL_OK) { - Tcl_BackgroundError(statePtr->interp); - } - Tcl_DecrRefCount(cmdPtr); - - Tcl_Release((ClientData) statePtr); - Tcl_Release((ClientData) statePtr->interp); - - if (result == TCL_OK) { - char *ret = (char *) Tcl_GetStringResult(interp); - strncpy(buf, ret, (size_t) size); - return (int)strlen(ret); - } else { - return -1; - } - verify = verify; -} -#endif - -/* - *------------------------------------------------------------------- - * - * CiphersObjCmd -- list available ciphers - * - * This procedure is invoked to process the "tls::ciphers" command - * to list available ciphers, based upon protocol selected. - * - * Results: - * A standard Tcl result list. - * - * Side effects: - * constructs and destroys SSL context (CTX) - * - *------------------------------------------------------------------- - */ -static int -CiphersObjCmd( - TCL_UNUSED(void *), - Tcl_Interp *interp, - int objc, - Tcl_Obj *const objv[]) -{ - static const char *protocols[] = { - "ssl2", "ssl3", "tls1", "tls1.1", "tls1.2", "tls1.3", NULL - }; - enum protocol { - TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_TLS1_3, TLS_NONE - }; - Tcl_Obj *objPtr; - SSL_CTX *ctx = NULL; - SSL *ssl = NULL; - STACK_OF(SSL_CIPHER) *sk; - char *cp, buf[BUFSIZ]; - int index, verbose = 0; - - dprintf("Called"); - - if (objc < 2 || objc > 3) { - Tcl_WrongNumArgs(interp, 1, objv, "protocol ?verbose?"); - return TCL_ERROR; - } - if (Tcl_GetIndexFromObj( interp, objv[1], protocols, "protocol", 0, - &index) != TCL_OK) { - return TCL_ERROR; - } - if (objc > 2 && Tcl_GetBooleanFromObj( interp, objv[2], - &verbose) != TCL_OK) { - return TCL_ERROR; - } - switch ((enum protocol)index) { - case TLS_SSL2: -#if defined(NO_SSL2) - Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); - return TCL_ERROR; -#else - ctx = SSL_CTX_new(SSLv2_method()); break; -#endif - case TLS_SSL3: -#if defined(NO_SSL3) - Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); - return TCL_ERROR; -#else - ctx = SSL_CTX_new(SSLv3_method()); break; -#endif - case TLS_TLS1: -#if defined(NO_TLS1) - Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); - return TCL_ERROR; -#else - ctx = SSL_CTX_new(TLSv1_method()); break; -#endif - case TLS_TLS1_1: -#if defined(NO_TLS1_1) - Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); - return TCL_ERROR; -#else - ctx = SSL_CTX_new(TLSv1_1_method()); break; -#endif - case TLS_TLS1_2: -#if defined(NO_TLS1_2) - Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); - return TCL_ERROR; -#else - ctx = SSL_CTX_new(TLSv1_2_method()); break; -#endif - case TLS_TLS1_3: -#if defined(NO_TLS1_3) - Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); - return TCL_ERROR; -#else - ctx = SSL_CTX_new(TLS_method()); break; - SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION); - SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION); -#endif - default: - break; - } - if (ctx == NULL) { - Tcl_AppendResult(interp, REASON(), (char *) NULL); - return TCL_ERROR; - } - ssl = SSL_new(ctx); - if (ssl == NULL) { - Tcl_AppendResult(interp, REASON(), (char *) NULL); - SSL_CTX_free(ctx); - return TCL_ERROR; - } - objPtr = Tcl_NewListObj( 0, NULL); - - if (!verbose) { - for (index = 0; ; index++) { - cp = (char*)SSL_get_cipher_list( ssl, index); - if (cp == NULL) break; - Tcl_ListObjAppendElement( interp, objPtr, - Tcl_NewStringObj( cp, -1) ); - } - } else { - sk = SSL_get_ciphers(ssl); - - for (index = 0; index < sk_SSL_CIPHER_num(sk); index++) { - size_t i; - SSL_CIPHER_description( sk_SSL_CIPHER_value( sk, index), - buf, sizeof(buf)); - for (i = strlen(buf) - 1; i ; i--) { - if (buf[i] == ' ' || buf[i] == '\n' || - buf[i] == '\r' || buf[i] == '\t') { - buf[i] = '\0'; - } else { - break; - } - } - Tcl_ListObjAppendElement( interp, objPtr, - Tcl_NewStringObj( buf, -1) ); - } - } - SSL_free(ssl); - SSL_CTX_free(ctx); - - Tcl_SetObjResult( interp, objPtr); - return TCL_OK; -} - -/* - *------------------------------------------------------------------- - * - * HandshakeObjCmd -- - * - * This command is used to verify whether the handshake is complete - * or not. - * - * Results: - * A standard Tcl result. 1 means handshake complete, 0 means pending. - * - * Side effects: - * May force SSL negotiation to take place. - * - *------------------------------------------------------------------- - */ - -static int HandshakeObjCmd( - TCL_UNUSED(void *), - Tcl_Interp *interp, - int objc, - Tcl_Obj *const objv[]) -{ - Tcl_Channel chan; /* The channel to set a mode on. */ - State *statePtr; /* client state for ssl socket */ - const char *errStr = NULL; - int ret = 1; - int err = 0; - - dprintf("Called"); - - if (objc != 2) { - Tcl_WrongNumArgs(interp, 1, objv, "channel"); - return(TCL_ERROR); - } - - chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL); - if (chan == (Tcl_Channel) NULL) { - return(TCL_ERROR); - } - - /* - * Make sure to operate on the topmost channel - */ - chan = Tcl_GetTopChannel(chan); - if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { - Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), "\": not a TLS channel", (char *)NULL); - return(TCL_ERROR); - } - statePtr = (State *)Tcl_GetChannelInstanceData(chan); - - dprintf("Calling Tls_WaitForConnect"); - ret = Tls_WaitForConnect(statePtr, &err, 1); - dprintf("Tls_WaitForConnect returned: %i", ret); - - if ( - ret < 0 && \ - ((statePtr->flags & TLS_TCL_ASYNC) && err == EAGAIN) - ) { - dprintf("Async set and err = EAGAIN"); - ret = 0; - } else if (ret < 0) { - errStr = statePtr->err; - Tcl_ResetResult(interp); - Tcl_SetErrno(err); - - if (!errStr || *errStr == 0) { - errStr = Tcl_PosixError(interp); - } - - Tcl_AppendResult(interp, "handshake failed: ", errStr, (char *) NULL); - dprintf("Returning TCL_ERROR with handshake failed: %s", errStr); - return(TCL_ERROR); - } else { - if (err != 0) { - dprintf("Got an error with a completed handshake: err = %i", err); - } - - ret = 1; - } - - dprintf("Returning TCL_OK with data \"%i\"", ret); - Tcl_SetObjResult(interp, Tcl_NewIntObj(ret)); - return(TCL_OK); -} - -/* - *------------------------------------------------------------------- - * - * ImportObjCmd -- - * - * This procedure is invoked to process the "ssl" command - * - * The ssl command pushes SSL over a (newly connected) tcp socket - * - * Results: - * A standard Tcl result. - * - * Side effects: - * May modify the behavior of an IO channel. - * - *------------------------------------------------------------------- - */ - -static int -ImportObjCmd( - TCL_UNUSED(void *), - Tcl_Interp *interp, - int objc, - Tcl_Obj *const objv[]) -{ - Tcl_Channel chan; /* The channel to set a mode on. */ - State *statePtr; /* client state for ssl socket */ - SSL_CTX *ctx = NULL; - Tcl_Obj *script = NULL; - Tcl_Obj *password = NULL; - Tcl_DString upperChannelTranslation, upperChannelBlocking, upperChannelEncoding, upperChannelEOFChar; - int idx; - Tcl_Size len; - int flags = TLS_TCL_INIT; - int server = 0; /* is connection incoming or outgoing? */ - char *keyfile = NULL; - char *certfile = NULL; - unsigned char *key = NULL; - Tcl_Size key_len = 0; - unsigned char *cert = NULL; - Tcl_Size cert_len = 0; - char *ciphers = NULL; - char *CAfile = NULL; - char *CAdir = NULL; - char *DHparams = NULL; - char *model = NULL; -#ifndef OPENSSL_NO_TLSEXT - char *servername = NULL; /* hostname for Server Name Indication */ -#endif - int ssl2 = 0, ssl3 = 0; - int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1; - int proto = 0; - int verify = 0, require = 0, request = 1; - - dprintf("Called"); - -#if defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_SSL3) && !defined(NO_SSL2) - ssl2 = 1; -#endif -#if defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_SSL2) && !defined(NO_SSL3) - ssl3 = 1; -#endif -#if defined(NO_TLS1) - tls1 = 0; -#endif -#if defined(NO_TLS1_1) - tls1_1 = 0; -#endif -#if defined(NO_TLS1_2) - tls1_2 = 0; -#endif -#if defined(NO_TLS1_3) - tls1_3 = 0; -#endif - - if (objc < 2) { - Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?"); - return TCL_ERROR; - } - - chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL); - if (chan == (Tcl_Channel) NULL) { - return TCL_ERROR; - } - - /* - * Make sure to operate on the topmost channel - */ - chan = Tcl_GetTopChannel(chan); - - for (idx = 2; idx < objc; idx++) { - char *opt = Tcl_GetString(objv[idx]); - - if (opt[0] != '-') - break; - - OPTSTR( "-cadir", CAdir); - OPTSTR( "-cafile", CAfile); - OPTSTR( "-certfile", certfile); - OPTSTR( "-cipher", ciphers); - OPTOBJ( "-command", script); - OPTSTR( "-dhparams", DHparams); - OPTSTR( "-keyfile", keyfile); - OPTSTR( "-model", model); - OPTOBJ( "-password", password); - OPTBOOL( "-require", require); - OPTBOOL( "-request", request); - OPTBOOL( "-server", server); -#ifndef OPENSSL_NO_TLSEXT - OPTSTR( "-servername", servername); -#endif - - OPTBOOL( "-ssl2", ssl2); - OPTBOOL( "-ssl3", ssl3); - OPTBOOL( "-tls1", tls1); - OPTBOOL( "-tls1.1", tls1_1); - OPTBOOL( "-tls1.2", tls1_2); - OPTBOOL( "-tls1.3", tls1_3) - OPTBYTE("-cert", cert, cert_len); - OPTBYTE("-key", key, key_len); - - OPTBAD( "option", "-cadir, -cafile, -cert, -certfile, -cipher, -command, -dhparams, -key, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, or tls1.3"); - - return TCL_ERROR; - } - if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER; - if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; - if (verify == 0) verify = SSL_VERIFY_NONE; - - proto |= (ssl2 ? TLS_PROTO_SSL2 : 0); - proto |= (ssl3 ? TLS_PROTO_SSL3 : 0); - proto |= (tls1 ? TLS_PROTO_TLS1 : 0); - proto |= (tls1_1 ? TLS_PROTO_TLS1_1 : 0); - proto |= (tls1_2 ? TLS_PROTO_TLS1_2 : 0); - proto |= (tls1_3 ? TLS_PROTO_TLS1_3 : 0); - - /* reset to NULL if blank string provided */ - if (cert && !*cert) cert = NULL; - if (key && !*key) key = NULL; - if (certfile && !*certfile) certfile = NULL; - if (keyfile && !*keyfile) keyfile = NULL; - if (ciphers && !*ciphers) ciphers = NULL; - if (CAfile && !*CAfile) CAfile = NULL; - if (CAdir && !*CAdir) CAdir = NULL; - if (DHparams && !*DHparams) DHparams = NULL; - - /* new SSL state */ - statePtr = (State *) ckalloc((unsigned) sizeof(State)); - memset(statePtr, 0, sizeof(State)); - - statePtr->flags = flags; - statePtr->interp = interp; - statePtr->vflags = verify; - statePtr->err = ""; - - /* allocate script */ - if (script) { - (void) Tcl_GetStringFromObj(script, &len); - if (len) { - statePtr->callback = script; - Tcl_IncrRefCount(statePtr->callback); - } - } - - /* allocate password */ - if (password) { - (void) Tcl_GetStringFromObj(password, &len); - if (len) { - statePtr->password = password; - Tcl_IncrRefCount(statePtr->password); - } - } - - if (model != NULL) { - int mode; - /* Get the "model" context */ - chan = Tcl_GetChannel(interp, model, &mode); - if (chan == (Tcl_Channel) NULL) { - Tls_Free((void *)statePtr); - return TCL_ERROR; - } - - /* - * Make sure to operate on the topmost channel - */ - chan = Tcl_GetTopChannel(chan); - if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { - Tcl_AppendResult(interp, "bad channel \"", - Tcl_GetChannelName(chan), "\": not a TLS channel", (char *)NULL); - Tls_Free((void *)statePtr); - return TCL_ERROR; - } - ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx; - } else { - if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, - cert, key_len, cert_len, CAdir, CAfile, ciphers, - DHparams)) == (SSL_CTX*)0) { - Tls_Free((void *)statePtr); - return TCL_ERROR; - } - } - - statePtr->ctx = ctx; - - /* - * We need to make sure that the channel works in binary (for the - * encryption not to get goofed up). - * We only want to adjust the buffering in pre-v2 channels, where - * each channel in the stack maintained its own buffers. - */ - Tcl_DStringInit(&upperChannelTranslation); - Tcl_DStringInit(&upperChannelBlocking); - Tcl_DStringInit(&upperChannelEOFChar); - Tcl_DStringInit(&upperChannelEncoding); - Tcl_GetChannelOption(interp, chan, "-eofchar", &upperChannelEOFChar); - Tcl_GetChannelOption(interp, chan, "-encoding", &upperChannelEncoding); - Tcl_GetChannelOption(interp, chan, "-translation", &upperChannelTranslation); - Tcl_GetChannelOption(interp, chan, "-blocking", &upperChannelBlocking); - Tcl_SetChannelOption(interp, chan, "-translation", "binary"); - Tcl_SetChannelOption(interp, chan, "-blocking", "true"); - dprintf("Consuming Tcl channel %s", Tcl_GetChannelName(chan)); - statePtr->self = Tcl_StackChannel(interp, Tls_ChannelType(), statePtr, (TCL_READABLE | TCL_WRITABLE), chan); - dprintf("Created channel named %s", Tcl_GetChannelName(statePtr->self)); - if (statePtr->self == (Tcl_Channel) NULL) { - /* - * No use of Tcl_EventuallyFree because no possible Tcl_Preserve. - */ - Tls_Free((void *)statePtr); - return TCL_ERROR; - } - - Tcl_SetChannelOption(interp, statePtr->self, "-translation", Tcl_DStringValue(&upperChannelTranslation)); - Tcl_SetChannelOption(interp, statePtr->self, "-encoding", Tcl_DStringValue(&upperChannelEncoding)); - Tcl_SetChannelOption(interp, statePtr->self, "-eofchar", Tcl_DStringValue(&upperChannelEOFChar)); - Tcl_SetChannelOption(interp, statePtr->self, "-blocking", Tcl_DStringValue(&upperChannelBlocking)); - - /* - * SSL Initialization - */ - - statePtr->ssl = SSL_new(statePtr->ctx); - if (!statePtr->ssl) { - /* SSL library error */ - Tcl_AppendResult(interp, "couldn't construct ssl session: ", REASON(), - (char *) NULL); - Tls_Free((void *)statePtr); - return TCL_ERROR; - } - -#ifndef OPENSSL_NO_TLSEXT - if (servername) { - if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) { - Tcl_AppendResult(interp, "setting TLS host name extension failed", - (char *) NULL); - Tls_Free((void *)statePtr); - return TCL_ERROR; - } - } -#endif - - /* - * SSL Callbacks - */ - - SSL_set_app_data(statePtr->ssl, (void *)statePtr); /* point back to us */ - - SSL_set_verify(statePtr->ssl, verify, VerifyCallback); - - SSL_CTX_set_info_callback(statePtr->ctx, InfoCallback); - - /* Create Tcl_Channel BIO Handler */ - statePtr->p_bio = BIO_new_tcl(statePtr, BIO_NOCLOSE); - statePtr->bio = BIO_new(BIO_f_ssl()); - - if (server) { - statePtr->flags |= TLS_TCL_SERVER; - SSL_set_accept_state(statePtr->ssl); - } else { - SSL_set_connect_state(statePtr->ssl); - } - SSL_set_bio(statePtr->ssl, statePtr->p_bio, statePtr->p_bio); - BIO_set_ssl(statePtr->bio, statePtr->ssl, BIO_NOCLOSE); - - /* - * End of SSL Init - */ - dprintf("Returning %s", Tcl_GetChannelName(statePtr->self)); - Tcl_SetResult(interp, (char *) Tcl_GetChannelName(statePtr->self), - TCL_VOLATILE); - return TCL_OK; -} - -/* - *------------------------------------------------------------------- - * - * UnimportObjCmd -- - * - * This procedure is invoked to remove the topmost channel filter. - * - * Results: - * A standard Tcl result. - * - * Side effects: - * May modify the behavior of an IO channel. - * - *------------------------------------------------------------------- - */ - -static int -UnimportObjCmd( - TCL_UNUSED(void *), - Tcl_Interp *interp, - int objc, - Tcl_Obj *const objv[]) -{ - Tcl_Channel chan; /* The channel to set a mode on. */ - - dprintf("Called"); - - if (objc != 2) { - Tcl_WrongNumArgs(interp, 1, objv, "channel"); - return TCL_ERROR; - } - - chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL); - if (chan == (Tcl_Channel) NULL) { - return TCL_ERROR; - } - - /* - * Make sure to operate on the topmost channel - */ - chan = Tcl_GetTopChannel(chan); - - if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { - Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), - "\": not a TLS channel", (char *)NULL); - return TCL_ERROR; - } - - if (Tcl_UnstackChannel(interp, chan) == TCL_ERROR) { - return TCL_ERROR; - } - - return TCL_OK; -} - -/* - *------------------------------------------------------------------- - * - * CTX_Init -- construct a SSL_CTX instance - * - * Results: - * A valid SSL_CTX instance or NULL. - * - * Side effects: - * constructs SSL context (CTX) - * - *------------------------------------------------------------------- - */ - -static SSL_CTX * -CTX_Init( - State *statePtr, - TCL_UNUSED(int) /* isServer */, - int proto, - char *keyfile, - char *certfile, - unsigned char *key, - unsigned char *cert, - int key_len, - int cert_len, - char *CAdir, - char *CAfile, - char *ciphers, - char *DHparams) -{ - Tcl_Interp *interp = statePtr->interp; - SSL_CTX *ctx = NULL; - Tcl_DString ds; - Tcl_DString ds1; - int off = 0; - int load_private_key; - const SSL_METHOD *method; - - dprintf("Called"); - - if (!proto) { - Tcl_AppendResult(interp, "no valid protocol selected", (char *)NULL); - return (SSL_CTX *)0; - } - - /* create SSL context */ -#if defined(NO_SSL2) - if (ENABLED(proto, TLS_PROTO_SSL2)) { - Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); - return (SSL_CTX *)0; - } -#endif -#if defined(NO_SSL3) - if (ENABLED(proto, TLS_PROTO_SSL3)) { - Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); - return (SSL_CTX *)0; - } -#endif -#if defined(NO_TLS1) - if (ENABLED(proto, TLS_PROTO_TLS1)) { - Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); - return (SSL_CTX *)0; - } -#endif -#if defined(NO_TLS1_1) - if (ENABLED(proto, TLS_PROTO_TLS1_1)) { - Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); - return (SSL_CTX *)0; - } -#endif -#if defined(NO_TLS1_2) - if (ENABLED(proto, TLS_PROTO_TLS1_2)) { - Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); - return (SSL_CTX *)0; - } -#endif -#if defined(NO_TLS1_3) - if (ENABLED(proto, TLS_PROTO_TLS1_3)) { - Tcl_AppendResult(interp, "protocol not supported", (char *)NULL); - return (SSL_CTX *)0; - } -#endif - - switch (proto) { -#if !defined(NO_SSL2) - case TLS_PROTO_SSL2: - method = SSLv2_method (); - break; -#endif -#if !defined(NO_SSL3) - case TLS_PROTO_SSL3: - method = SSLv3_method (); - break; -#endif -#if !defined(NO_TLS1) - case TLS_PROTO_TLS1: - method = TLSv1_method (); - break; -#endif -#if !defined(NO_TLS1_1) - case TLS_PROTO_TLS1_1: - method = TLSv1_1_method (); - break; -#endif -#if !defined(NO_TLS1_2) - case TLS_PROTO_TLS1_2: - method = TLSv1_2_method (); - break; -#endif -#if !defined(NO_TLS1_3) - case TLS_PROTO_TLS1_3: - /* - * The version range is constrained below, - * after the context is created. Use the - * generic method here. - */ - method = TLS_method (); - break; -#endif - default: -#ifdef HAVE_TLS_METHOD - method = TLS_method (); -#else - method = SSLv23_method (); -#endif -#if !defined(NO_SSL2) - off |= (ENABLED(proto, TLS_PROTO_SSL2) ? 0 : SSL_OP_NO_SSLv2); -#endif -#if !defined(NO_SSL3) - off |= (ENABLED(proto, TLS_PROTO_SSL3) ? 0 : SSL_OP_NO_SSLv3); -#endif -#if !defined(NO_TLS1) - off |= (ENABLED(proto, TLS_PROTO_TLS1) ? 0 : SSL_OP_NO_TLSv1); -#endif -#if !defined(NO_TLS1_1) - off |= (ENABLED(proto, TLS_PROTO_TLS1_1) ? 0 : SSL_OP_NO_TLSv1_1); -#endif -#if !defined(NO_TLS1_2) - off |= (ENABLED(proto, TLS_PROTO_TLS1_2) ? 0 : SSL_OP_NO_TLSv1_2); -#endif -#if !defined(NO_TLS1_3) - off |= (ENABLED(proto, TLS_PROTO_TLS1_3) ? 0 : SSL_OP_NO_TLSv1_3); -#endif - break; - } - - ctx = SSL_CTX_new (method); - - if (!ctx) { - return(NULL); - } - -#if !defined(NO_TLS1_3) - if (proto == TLS_PROTO_TLS1_3) { - SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION); - SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION); - } -#endif - - SSL_CTX_set_app_data( ctx, (void*)interp); /* remember the interpreter */ - SSL_CTX_set_options( ctx, SSL_OP_ALL); /* all SSL bug workarounds */ - SSL_CTX_set_options( ctx, off); /* all SSL bug workarounds */ - SSL_CTX_sess_set_cache_size( ctx, 128); - - if (ciphers != NULL) - SSL_CTX_set_cipher_list(ctx, ciphers); - - /* set some callbacks */ - SSL_CTX_set_default_passwd_cb(ctx, PasswordCallback); - -#ifndef BSAFE - SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)statePtr); -#endif - - /* read a Diffie-Hellman parameters file, or use the built-in one */ -#ifdef OPENSSL_NO_DH - if (DHparams != NULL) { - Tcl_AppendResult(interp, - "DH parameter support not available", (char *) NULL); - SSL_CTX_free(ctx); - return (SSL_CTX *)0; - } -#else - { - DH* dh; - if (DHparams != NULL) { - BIO *bio; - Tcl_DStringInit(&ds); - bio = BIO_new_file(F2N(DHparams, &ds), "r"); - if (!bio) { - Tcl_DStringFree(&ds); - Tcl_AppendResult(interp, - "Could not find DH parameters file", (char *) NULL); - SSL_CTX_free(ctx); - return (SSL_CTX *)0; - } - - dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); - BIO_free(bio); - Tcl_DStringFree(&ds); - if (!dh) { - Tcl_AppendResult(interp, - "Could not read DH parameters from file", (char *) NULL); - SSL_CTX_free(ctx); - return (SSL_CTX *)0; - } - } else { - dh = get_dhParams(); - } - SSL_CTX_set_tmp_dh(ctx, dh); - DH_free(dh); - } -#endif - - /* set our certificate */ - load_private_key = 0; - if (certfile != NULL) { - load_private_key = 1; - - Tcl_DStringInit(&ds); - - if (SSL_CTX_use_certificate_file(ctx, F2N( certfile, &ds), - SSL_FILETYPE_PEM) <= 0) { - Tcl_DStringFree(&ds); - Tcl_AppendResult(interp, - "unable to set certificate file ", certfile, ": ", - REASON(), (char *) NULL); - SSL_CTX_free(ctx); - return (SSL_CTX *)0; - } - } else if (cert != NULL) { - load_private_key = 1; - if (SSL_CTX_use_certificate_ASN1(ctx, cert_len, cert) <= 0) { - Tcl_DStringFree(&ds); - Tcl_AppendResult(interp, - "unable to set certificate: ", - REASON(), (char *) NULL); - SSL_CTX_free(ctx); - return (SSL_CTX *)0; - } - } else { - certfile = (char*)X509_get_default_cert_file(); - - if (SSL_CTX_use_certificate_file(ctx, certfile, - SSL_FILETYPE_PEM) <= 0) { -#if 0 - Tcl_DStringFree(&ds); - Tcl_AppendResult(interp, - "unable to use default certificate file ", certfile, ": ", - REASON(), (char *) NULL); - SSL_CTX_free(ctx); - return (SSL_CTX *)0; -#endif - } - } - - /* set our private key */ - if (load_private_key) { - if (keyfile == NULL && key == NULL) { - keyfile = certfile; - } - - if (keyfile != NULL) { - /* get the private key associated with this certificate */ - if (keyfile == NULL) { - keyfile = certfile; - } - - if (SSL_CTX_use_PrivateKey_file(ctx, F2N( keyfile, &ds), SSL_FILETYPE_PEM) <= 0) { - Tcl_DStringFree(&ds); - /* flush the passphrase which might be left in the result */ - Tcl_SetResult(interp, NULL, TCL_STATIC); - Tcl_AppendResult(interp, - "unable to set public key file ", keyfile, " ", - REASON(), (char *) NULL); - SSL_CTX_free(ctx); - return (SSL_CTX *)0; - } - - Tcl_DStringFree(&ds); - } else if (key != NULL) { - if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, ctx, key,key_len) <= 0) { - Tcl_DStringFree(&ds); - /* flush the passphrase which might be left in the result */ - Tcl_SetResult(interp, NULL, TCL_STATIC); - Tcl_AppendResult(interp, - "unable to set public key: ", - REASON(), (char *) NULL); - SSL_CTX_free(ctx); - return (SSL_CTX *)0; - } - } - /* Now we know that a key and cert have been set against - * the SSL context */ - if (!SSL_CTX_check_private_key(ctx)) { - Tcl_AppendResult(interp, - "private key does not match the certificate public key", - (char *) NULL); - SSL_CTX_free(ctx); - return (SSL_CTX *)0; - } - } - - /* Set verification CAs */ - Tcl_DStringInit(&ds); - Tcl_DStringInit(&ds1); - if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CAdir, &ds1)) || - !SSL_CTX_set_default_verify_paths(ctx)) { -#if 0 - Tcl_DStringFree(&ds); - Tcl_DStringFree(&ds1); - /* Don't currently care if this fails */ - Tcl_AppendResult(interp, "SSL default verify paths: ", - REASON(), (char *) NULL); - SSL_CTX_free(ctx); - return (SSL_CTX *)0; -#endif - } - - /* https://sourceforge.net/p/tls/bugs/57/ */ - /* XXX:TODO: Let the user supply values here instead of something that exists on the filesystem */ - if ( CAfile != NULL ) { - STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file( F2N(CAfile, &ds) ); - if ( certNames != NULL ) { - SSL_CTX_set_client_CA_list(ctx, certNames ); - } - } - - Tcl_DStringFree(&ds); - Tcl_DStringFree(&ds1); - return ctx; -} - -/* - *------------------------------------------------------------------- - * - * StatusObjCmd -- return certificate for connected peer. - * - * Results: - * A standard Tcl result. - * - * Side effects: - * None. - * - *------------------------------------------------------------------- - */ -static int -StatusObjCmd( - TCL_UNUSED(void *), - Tcl_Interp *interp, - int objc, - Tcl_Obj *const objv[]) -{ - State *statePtr; - X509 *peer; - Tcl_Obj *objPtr; - Tcl_Channel chan; - char *channelName, *ciphers; - int mode; - - dprintf("Called"); - - switch (objc) { - case 2: - channelName = Tcl_GetString(objv[1]); - break; - - case 3: - if (!strcmp (Tcl_GetString (objv[1]), "-local")) { - channelName = Tcl_GetString(objv[2]); - break; - } - /* fallthrough */ - default: - Tcl_WrongNumArgs(interp, 1, objv, "?-local? channel"); - return TCL_ERROR; - } - - chan = Tcl_GetChannel(interp, channelName, &mode); - if (chan == (Tcl_Channel) NULL) { - return TCL_ERROR; - } - /* - * Make sure to operate on the topmost channel - */ - chan = Tcl_GetTopChannel(chan); - if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { - Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), - "\": not a TLS channel", (char *)NULL); - return TCL_ERROR; - } - statePtr = (State *) Tcl_GetChannelInstanceData(chan); - if (objc == 2) { - peer = SSL_get_peer_certificate(statePtr->ssl); - } else { - peer = SSL_get_certificate(statePtr->ssl); - } - if (peer) { - objPtr = Tls_NewX509Obj(interp, peer); - if (objc == 2) { X509_free(peer); } - } else { - objPtr = Tcl_NewListObj(0, NULL); - } - - Tcl_ListObjAppendElement (interp, objPtr, - Tcl_NewStringObj ("sbits", -1)); - Tcl_ListObjAppendElement (interp, objPtr, - Tcl_NewIntObj (SSL_get_cipher_bits (statePtr->ssl, NULL))); - - ciphers = (char*)SSL_get_cipher(statePtr->ssl); - if (ciphers != NULL && strcmp(ciphers, "(NONE)")!=0) { - Tcl_ListObjAppendElement(interp, objPtr, - Tcl_NewStringObj("cipher", -1)); - Tcl_ListObjAppendElement(interp, objPtr, - Tcl_NewStringObj(SSL_get_cipher(statePtr->ssl), -1)); - } - - Tcl_ListObjAppendElement(interp, objPtr, - Tcl_NewStringObj("version", -1)); - Tcl_ListObjAppendElement(interp, objPtr, - Tcl_NewStringObj(SSL_get_version(statePtr->ssl), -1)); - - Tcl_SetObjResult( interp, objPtr); - return TCL_OK; -} - -/* - *------------------------------------------------------------------- - * - * VersionObjCmd -- return version string from OpenSSL. - * - * Results: - * A standard Tcl result. - * - * Side effects: - * None. - * - *------------------------------------------------------------------- - */ -static int -VersionObjCmd( - TCL_UNUSED(void *), - Tcl_Interp *interp, - TCL_UNUSED(int) /* objc */, - TCL_UNUSED(Tcl_Obj *const *) /* objv */) -{ - Tcl_Obj *objPtr; - - dprintf("Called"); - - objPtr = Tcl_NewStringObj(OPENSSL_VERSION_TEXT, -1); - - Tcl_SetObjResult(interp, objPtr); - return TCL_OK; -} - -/* - *------------------------------------------------------------------- - * - * MiscObjCmd -- misc commands - * - * Results: - * A standard Tcl result. - * - * Side effects: - * None. - * - *------------------------------------------------------------------- - */ -static int -MiscObjCmd( - TCL_UNUSED(void *), - Tcl_Interp *interp, - int objc, - Tcl_Obj *const objv[]) -{ - static const char *commands [] = { "req", NULL }; - enum command { C_REQ, C_DUMMY }; - int cmd; - - dprintf("Called"); - - if (objc < 2) { - Tcl_WrongNumArgs(interp, 1, objv, "subcommand ?args?"); - return TCL_ERROR; - } - if (Tcl_GetIndexFromObj(interp, objv[1], commands, - "command", 0,&cmd) != TCL_OK) { - return TCL_ERROR; - } - - switch ((enum command) cmd) { - case C_REQ: { - EVP_PKEY *pkey=NULL; - X509 *cert=NULL; - X509_NAME *name=NULL; - Tcl_Obj **listv; - Tcl_Size listc,i; - - BIO *out=NULL; - - const char *k_C="",*k_ST="",*k_L="",*k_O="",*k_OU="",*k_CN="",*k_Email=""; - char *keyout,*pemout,*str; - int keysize,serial=0,days=365; - - if ((objc<5) || (objc>6)) { - Tcl_WrongNumArgs(interp, 2, objv, "keysize keyfile certfile ?info?"); - return TCL_ERROR; - } - - if (Tcl_GetIntFromObj(interp, objv[2], &keysize) != TCL_OK) { - return TCL_ERROR; - } - keyout=Tcl_GetString(objv[3]); - pemout=Tcl_GetString(objv[4]); - - if (objc>=6) { - if (Tcl_ListObjGetElements(interp, objv[5], - &listc, &listv) != TCL_OK) { - return TCL_ERROR; - } - - if ((listc%2) != 0) { - Tcl_SetResult(interp,"Information list must have even number of arguments",NULL); - return TCL_ERROR; - } - for (i=0; i 8 -Tls_Free( void *blockPtr ) -#else -Tls_Free( char *blockPtr ) -#endif -{ - State *statePtr = (State *)blockPtr; - - dprintf("Called"); - - Tls_Clean(statePtr); - ckfree(blockPtr); -} - -/* - *------------------------------------------------------------------- - * - * Tls_Clean -- - * - * This procedure cleans up when a SSL socket based channel - * is closed and its reference count falls below 1. This should - * be called synchronously by the CloseProc, not in the - * EventuallyFree callback. - * - * Results: - * none - * - * Side effects: - * Frees all the state - * - *------------------------------------------------------------------- - */ -void Tls_Clean(State *statePtr) { - dprintf("Called"); - - /* - * we're assuming here that we're single-threaded - */ - if (statePtr->timer != (Tcl_TimerToken) NULL) { - Tcl_DeleteTimerHandler(statePtr->timer); - statePtr->timer = NULL; - } - - if (statePtr->bio) { - /* This will call SSL_shutdown. Bug 1414045 */ - dprintf("BIO_free_all(%p)", statePtr->bio); - BIO_free_all(statePtr->bio); - statePtr->bio = NULL; - } - if (statePtr->ssl) { - dprintf("SSL_free(%p)", statePtr->ssl); - SSL_free(statePtr->ssl); - statePtr->ssl = NULL; - } - if (statePtr->ctx) { - SSL_CTX_free(statePtr->ctx); - statePtr->ctx = NULL; - } - if (statePtr->callback) { - Tcl_DecrRefCount(statePtr->callback); - statePtr->callback = NULL; - } - if (statePtr->password) { - Tcl_DecrRefCount(statePtr->password); - statePtr->password = NULL; - } - - dprintf("Returning"); -} - -/* - *------------------------------------------------------------------- - * - * Tls_Init -- - * - * This is a package initialization procedure, which is called - * by Tcl when this package is to be added to an interpreter. - * - * Results: Ssl configured and loaded - * - * Side effects: - * create the ssl command, initialise ssl context - * - *------------------------------------------------------------------- - */ - -DLLEXPORT int Tls_Init(Tcl_Interp *interp) { - const char tlsTclInitScript[] = { -#include "tls.tcl.h" - 0x00 - }; - - dprintf("Called"); - - /* - * We only support Tcl 8.4 or newer - */ - if ( -#ifdef USE_TCL_STUBS - Tcl_InitStubs(interp, "8.6-", 0) -#else - Tcl_PkgRequire(interp, "Tcl", "8.6-", 0) -#endif - == NULL) { - return TCL_ERROR; - } - - if (TlsLibInit(0) != TCL_OK) { - Tcl_AppendResult(interp, "could not initialize SSL library", (char *)NULL); - return TCL_ERROR; - } - - Tcl_CreateObjCommand(interp, "tls::ciphers", CiphersObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL); - Tcl_CreateObjCommand(interp, "tls::handshake", HandshakeObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL); - Tcl_CreateObjCommand(interp, "tls::import", ImportObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL); - Tcl_CreateObjCommand(interp, "tls::unimport", UnimportObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL); - Tcl_CreateObjCommand(interp, "tls::status", StatusObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL); - Tcl_CreateObjCommand(interp, "tls::version", VersionObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL); - Tcl_CreateObjCommand(interp, "tls::misc", MiscObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL); - - if (interp) { - Tcl_Eval(interp, tlsTclInitScript); - } - - return(Tcl_PkgProvide(interp, "tls", PACKAGE_VERSION)); -} - -/* - *------------------------------------------------------* - * - * Tls_SafeInit -- - * - * ------------------------------------------------* - * Standard procedure required by 'load'. - * Initializes this extension for a safe interpreter. - * ------------------------------------------------* - * - * Sideeffects: - * As of 'Tls_Init' - * - * Result: - * A standard Tcl error code. - * - *------------------------------------------------------* - */ - -DLLEXPORT int Tls_SafeInit(Tcl_Interp *interp) { - dprintf("Called"); - return(Tls_Init(interp)); -} - -/* - *------------------------------------------------------* - * - * TlsLibInit -- - * - * ------------------------------------------------* - * Initializes SSL library once per application - * ------------------------------------------------* - * - * Side effects: - * initilizes SSL library - * - * Result: - * none - * - *------------------------------------------------------* - */ -static int TlsLibInit(int uninitialize) { - static int initialized = 0; - int status = TCL_OK; -#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) - size_t num_locks; -#endif - - if (uninitialize) { - if (!initialized) { - dprintf("Asked to uninitialize, but we are not initialized"); - - return(TCL_OK); - } - - dprintf("Asked to uninitialize"); - -#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) - Tcl_MutexLock(&init_mx); - - CRYPTO_set_locking_callback(NULL); - CRYPTO_set_id_callback(NULL); - - if (locks) { - free(locks); - locks = NULL; - locksCount = 0; - } -#endif - initialized = 0; - -#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) - Tcl_MutexUnlock(&init_mx); -#endif - - return(TCL_OK); - } - - if (initialized) { - dprintf("Called, but using cached value"); - return(status); - } - - dprintf("Called"); - -#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) - Tcl_MutexLock(&init_mx); -#endif - initialized = 1; - -#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) - num_locks = CRYPTO_num_locks(); - locksCount = num_locks; - locks = malloc(sizeof(*locks) * num_locks); - memset(locks, 0, sizeof(*locks) * num_locks); - - CRYPTO_set_locking_callback(CryptoThreadLockCallback); - CRYPTO_set_id_callback(CryptoThreadIdCallback); -#endif - - if (SSL_library_init() != 1) { - status = TCL_ERROR; - goto done; - } - - SSL_load_error_strings(); - ERR_load_crypto_strings(); - - BIO_new_tcl(NULL, 0); - -#if 0 - /* - * XXX:TODO: Remove this code and replace it with a check - * for enough entropy and do not try to create our own - * terrible entropy - */ - /* - * Seed the random number generator in the SSL library, - * using the do/while construct because of the bug note in the - * OpenSSL FAQ at http://www.openssl.org/support/faq.html#USER1 - * - * The crux of the problem is that Solaris 7 does not have a - * /dev/random or /dev/urandom device so it cannot gather enough - * entropy from the RAND_seed() when TLS initializes and refuses - * to go further. Earlier versions of OpenSSL carried on regardless. - */ - srand((unsigned int) time((time_t *) NULL)); - do { - for (i = 0; i < 16; i++) { - rnd_seed[i] = 1 + (char) (255.0 * rand()/(RAND_MAX+1.0)); - } - RAND_seed(rnd_seed, sizeof(rnd_seed)); - } while (RAND_status() != 1); -#endif - -done: -#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) - Tcl_MutexUnlock(&init_mx); -#endif - - return(status); -} DELETED tls.h Index: tls.h ================================================================== --- tls.h +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Copyright (C) 1997-2000 Matt Newman - * - * TLS (aka SSL) Channel - can be layered on any bi-directional - * Tcl_Channel (Note: Requires Trf Core Patch) - * - * This was built from scratch based upon observation of OpenSSL 0.9.2B - * - * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for - * providing the Tcl_ReplaceChannel mechanism and working closely with me - * to enhance it to support full fileevent semantics. - * - * Also work done by the follow people provided the impetus to do this "right":- - * tclSSL (Colin McCormack, Shared Technology) - * SSLtcl (Peter Antman) - * - */ -#ifndef _TLS_H -#define _TLS_H - -#include - -/* - * Initialization routines -- our entire public C API. - */ -DLLEXPORT int Tls_Init(Tcl_Interp *interp); -DLLEXPORT int Tls_SafeInit(Tcl_Interp *interp); - -#endif /* _TLS_H */ DELETED tlsBIO.c Index: tlsBIO.c ================================================================== --- tlsBIO.c +++ /dev/null @@ -1,323 +0,0 @@ -/* - * Copyright (C) 1997-2000 Matt Newman - * - * Provides BIO layer to interface openssl to Tcl. - */ - -#include "tlsInt.h" - -#ifdef TCLTLS_OPENSSL_PRE_1_1_API -#define BIO_get_data(bio) ((bio)->ptr) -#define BIO_get_init(bio) ((bio)->init) -#define BIO_get_shutdown(bio) ((bio)->shutdown) -#define BIO_set_data(bio, val) (bio)->ptr = (val) -#define BIO_set_init(bio, val) (bio)->init = (val) -#define BIO_set_shutdown(bio, val) (bio)->shutdown = (val) - -/* XXX: This assumes the variable being assigned to is BioMethods */ -#define BIO_meth_new(type_, name_) (BIO_METHOD *)Tcl_Alloc(sizeof(BIO_METHOD)); \ - memset(BioMethods, 0, sizeof(BIO_METHOD)); \ - BioMethods->type = type_; \ - BioMethods->name = name_; -#define BIO_meth_set_write(bio, val) (bio)->bwrite = val; -#define BIO_meth_set_read(bio, val) (bio)->bread = val; -#define BIO_meth_set_puts(bio, val) (bio)->bputs = val; -#define BIO_meth_set_ctrl(bio, val) (bio)->ctrl = val; -#define BIO_meth_set_create(bio, val) (bio)->create = val; -#define BIO_meth_set_destroy(bio, val) (bio)->destroy = val; -#endif - -/* - * Forward declarations - */ - -static int BioWrite (BIO *h, const char *buf, int num); -static int BioRead (BIO *h, char *buf, int num); -static int BioPuts (BIO *h, const char *str); -static long BioCtrl (BIO *h, int cmd, long arg1, void *ptr); -static int BioNew (BIO *h); -static int BioFree (BIO *h); - -BIO *BIO_new_tcl(State *statePtr, int flags) { - BIO *bio; - static BIO_METHOD *BioMethods = NULL; -#ifdef TCLTLS_SSL_USE_FASTPATH - Tcl_Channel parentChannel; - const Tcl_ChannelType *parentChannelType; - void *parentChannelFdIn_p, *parentChannelFdOut_p; - int parentChannelFdIn, parentChannelFdOut, parentChannelFd; - int validParentChannelFd; - int tclGetChannelHandleRet; -#endif - - dprintf("BIO_new_tcl() called"); - - if (BioMethods == NULL) { - BioMethods = BIO_meth_new(BIO_TYPE_TCL, "tcl"); - BIO_meth_set_write(BioMethods, BioWrite); - BIO_meth_set_read(BioMethods, BioRead); - BIO_meth_set_puts(BioMethods, BioPuts); - BIO_meth_set_ctrl(BioMethods, BioCtrl); - BIO_meth_set_create(BioMethods, BioNew); - BIO_meth_set_destroy(BioMethods, BioFree); - } - - if (statePtr == NULL) { - dprintf("Asked to setup a NULL state, just creating the initial configuration"); - - return(NULL); - } - -#ifdef TCLTLS_SSL_USE_FASTPATH - /* - * If the channel can be mapped back to a file descriptor, just use the file descriptor - * with the SSL library since it will likely be optimized for this. - */ - parentChannel = Tls_GetParent(statePtr, 0); - parentChannelType = Tcl_GetChannelType(parentChannel); - - validParentChannelFd = 0; - if (strcmp(parentChannelType->typeName, "tcp") == 0) { - tclGetChannelHandleRet = Tcl_GetChannelHandle(parentChannel, TCL_READABLE, &parentChannelFdIn_p); - if (tclGetChannelHandleRet == TCL_OK) { - tclGetChannelHandleRet = Tcl_GetChannelHandle(parentChannel, TCL_WRITABLE, &parentChannelFdOut_p); - if (tclGetChannelHandleRet == TCL_OK) { - parentChannelFdIn = PTR2INT(parentChannelFdIn_p); - parentChannelFdOut = PTR2INT(parentChannelFdOut_p); - if (parentChannelFdIn == parentChannelFdOut) { - parentChannelFd = parentChannelFdIn; - validParentChannelFd = 1; - } - } - } - } - - if (validParentChannelFd) { - dprintf("We found a shortcut, this channel is backed by a socket: %i", parentChannelFdIn); - bio = BIO_new_socket(parentChannelFd, flags); - statePtr->flags |= TLS_TCL_FASTPATH; - return(bio); - } - - dprintf("Falling back to Tcl I/O for this channel"); -#endif - - bio = BIO_new(BioMethods); - BIO_set_data(bio, statePtr); - BIO_set_shutdown(bio, flags); - BIO_set_init(bio, 1); - - return(bio); -} - -static int BioWrite(BIO *bio, const char *buf, int bufLen) { - Tcl_Channel chan; - int ret; - int tclEofChan, tclErrno; - - chan = Tls_GetParent((State *) BIO_get_data(bio), 0); - - dprintf("[chan=%p] BioWrite(%p, , %d)", (void *)chan, (void *) bio, bufLen); - - ret = Tcl_WriteRaw(chan, buf, bufLen); - - tclEofChan = Tcl_Eof(chan); - tclErrno = Tcl_GetErrno(); - - dprintf("[chan=%p] BioWrite(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, Tcl_GetErrno()); - - BIO_clear_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY); - - if (tclEofChan && ret <= 0) { - dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF"); - Tcl_SetErrno(ECONNRESET); - ret = 0; - } else if (ret == 0) { - dprintf("Got 0 from Tcl_WriteRaw, and EOF is not set; ret = 0"); - dprintf("Setting retry read flag"); - BIO_set_retry_read(bio); - } else if (ret < 0) { - dprintf("We got some kind of I/O error"); - - if (tclErrno == EAGAIN) { - dprintf("It's EAGAIN"); - } else { - dprintf("It's an unepxected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno); - } - } else { - dprintf("Successfully wrote some data"); - } - - if (ret != -1 || (ret == -1 && tclErrno == EAGAIN)) { - if (BIO_should_read(bio)) { - dprintf("Setting should retry read flag"); - - BIO_set_retry_read(bio); - } - } - - return(ret); -} - -static int BioRead(BIO *bio, char *buf, int bufLen) { - Tcl_Channel chan; - int ret = 0; - int tclEofChan, tclErrno; - - chan = Tls_GetParent((State *) BIO_get_data(bio), 0); - - dprintf("[chan=%p] BioRead(%p, , %d)", (void *) chan, (void *) bio, bufLen); - - if (buf == NULL) { - return 0; - } - - ret = Tcl_ReadRaw(chan, buf, bufLen); - - tclEofChan = Tcl_Eof(chan); - tclErrno = Tcl_GetErrno(); - - dprintf("[chan=%p] BioRead(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, tclErrno); - - BIO_clear_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY); - - if (tclEofChan && ret <= 0) { - dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF"); - Tcl_SetErrno(ECONNRESET); - ret = 0; - } else if (ret == 0) { - dprintf("Got 0 from Tcl_Read or Tcl_ReadRaw, and EOF is not set; ret = 0"); - dprintf("Setting retry read flag"); - BIO_set_retry_read(bio); - } else if (ret < 0) { - dprintf("We got some kind of I/O error"); - - if (tclErrno == EAGAIN) { - dprintf("It's EAGAIN"); - } else { - dprintf("It's an unepxected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno); - } - } else { - dprintf("Successfully read some data"); - } - - if (ret != -1 || (ret == -1 && tclErrno == EAGAIN)) { - if (BIO_should_write(bio)) { - dprintf("Setting should retry write flag"); - - BIO_set_retry_write(bio); - } - } - - dprintf("BioRead(%p, , %d) [%p] returning %i", (void *) bio, bufLen, (void *) chan, ret); - - return(ret); -} - -static int BioPuts(BIO *bio, const char *str) { - dprintf("BioPuts(%p, ) called", bio, str); - - return BioWrite(bio, str, (int) strlen(str)); -} - -static long BioCtrl(BIO *bio, int cmd, long num, void *ptr) { - Tcl_Channel chan; - long ret = 1; - - chan = Tls_GetParent((State *) BIO_get_data(bio), 0); - - dprintf("BioCtrl(%p, 0x%x, 0x%lx, %p)", bio, cmd, num, ptr); - - switch (cmd) { - case BIO_CTRL_RESET: - dprintf("Got BIO_CTRL_RESET"); - num = 0; - ret = 0; - break; - case BIO_C_FILE_SEEK: - dprintf("Got BIO_C_FILE_SEEK"); - ret = 0; - break; - case BIO_C_FILE_TELL: - dprintf("Got BIO_C_FILE_TELL"); - ret = 0; - break; - case BIO_CTRL_INFO: - dprintf("Got BIO_CTRL_INFO"); - ret = 1; - break; - case BIO_C_SET_FD: - dprintf("Unsupported call: BIO_C_SET_FD"); - ret = -1; - break; - case BIO_C_GET_FD: - dprintf("Unsupported call: BIO_C_GET_FD"); - ret = -1; - break; - case BIO_CTRL_GET_CLOSE: - dprintf("Got BIO_CTRL_CLOSE"); - ret = BIO_get_shutdown(bio); - break; - case BIO_CTRL_SET_CLOSE: - dprintf("Got BIO_SET_CLOSE"); - BIO_set_shutdown(bio, num); - break; - case BIO_CTRL_EOF: - dprintf("Got BIO_CTRL_EOF"); - ret = Tcl_Eof(chan); - break; - case BIO_CTRL_PENDING: - dprintf("Got BIO_CTRL_PENDING"); - ret = ((chan) ? Tcl_InputBuffered(chan) : 0); - dprintf("BIO_CTRL_PENDING(%d)", (int) ret); - break; - case BIO_CTRL_WPENDING: - dprintf("Got BIO_CTRL_WPENDING"); - ret = 0; - break; - case BIO_CTRL_DUP: - dprintf("Got BIO_CTRL_DUP"); - break; - case BIO_CTRL_FLUSH: - dprintf("Got BIO_CTRL_FLUSH"); - ret = ((Tcl_WriteRaw(chan, "", 0) >= 0) ? 1 : -1); - dprintf("BIO_CTRL_FLUSH returning value %li", ret); - break; - default: - dprintf("Got unknown control command (%i)", cmd); - ret = -2; - break; - } - - return(ret); -} - -static int BioNew(BIO *bio) { - dprintf("BioNew(%p) called", bio); - - BIO_set_init(bio, 0); - BIO_set_data(bio, NULL); - BIO_clear_flags(bio, -1); - - return(1); -} - -static int BioFree(BIO *bio) { - if (bio == NULL) { - return(0); - } - - dprintf("BioFree(%p) called", bio); - - if (BIO_get_shutdown(bio)) { - if (BIO_get_init(bio)) { - /*shutdown(bio->num, 2) */ - /*closesocket(bio->num) */ - } - - BIO_set_init(bio, 0); - BIO_clear_flags(bio, -1); - } - - return(1); -} DELETED tlsIO.c Index: tlsIO.c ================================================================== --- tlsIO.c +++ /dev/null @@ -1,946 +0,0 @@ -/* - * Copyright (C) 1997-2000 Matt Newman - * Copyright (C) 2000 Ajuba Solutions - * - * TLS (aka SSL) Channel - can be layered on any bi-directional - * Tcl_Channel (Note: Requires Trf Core Patch) - * - * This was built from scratch based upon observation of OpenSSL 0.9.2B - * - * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for - * providing the Tcl_ReplaceChannel mechanism and working closely with me - * to enhance it to support full fileevent semantics. - * - * Also work done by the follow people provided the impetus to do this "right": - * tclSSL (Colin McCormack, Shared Technology) - * SSLtcl (Peter Antman) - * - */ - -#include "tlsInt.h" - -/* - * Forward declarations - */ -static int TlsBlockModeProc (void *instanceData, int mode); -static int TlsCloseProc (void *instanceData, Tcl_Interp *interp); -static int TlsClose2Proc (void *instanceData, Tcl_Interp *interp, int flags); -static int TlsInputProc (void *instanceData, char *buf, int bufSize, int *errorCodePtr); -static int TlsOutputProc (void *instanceData, const char *buf, int toWrite, int *errorCodePtr); -static int TlsGetOptionProc (void *instanceData, Tcl_Interp *interp, const char *optionName, Tcl_DString *dsPtr); -static void TlsWatchProc (void *instanceData, int mask); -static int TlsGetHandleProc (void *instanceData, int direction, void **handlePtr); -static int TlsNotifyProc (void *instanceData, int mask); -static void TlsChannelHandlerTimer (void *clientData); - -/* - * TLS Channel Type - */ -static const Tcl_ChannelType tlsChannelType = { - "tls", /* typeName */ - TCL_CHANNEL_VERSION_5, /* version */ - TlsCloseProc, /* closeProc */ - TlsInputProc, /* inputProc */ - TlsOutputProc, /* outputProc */ - 0, /* seekProc */ - 0, /* setOptionProc */ - TlsGetOptionProc, /* getOptionProc */ - TlsWatchProc, /* watchProc */ - TlsGetHandleProc, /* getHandleProc */ - TlsClose2Proc, /* close2Proc */ - TlsBlockModeProc, /* blockModeProc */ - 0, /* flushProc */ - TlsNotifyProc, /* handlerProc */ - 0, /* wideSeekProc */ - 0, /* threadActionProc */ - 0 /* truncateProc */ -}; - - -/* - *------------------------------------------------------------------- - * - * Tls_ChannelType -- - * - * Return the correct TLS channel driver info - * - * Results: - * The correct channel driver for the current version of Tcl. - * - * Side effects: - * None. - * - *------------------------------------------------------------------- - */ -const Tcl_ChannelType *Tls_ChannelType(void) { - return &tlsChannelType; -} - -/* - *------------------------------------------------------------------- - * - * TlsBlockModeProc -- - * - * This procedure is invoked by the generic IO level - * to set blocking and nonblocking modes - * Results: - * 0 if successful, errno when failed. - * - * Side effects: - * Sets the device into blocking or nonblocking mode. - * - *------------------------------------------------------------------- - */ -static int TlsBlockModeProc(void *instanceData, int mode) { - State *statePtr = (State *) instanceData; - - if (mode == TCL_MODE_NONBLOCKING) { - statePtr->flags |= TLS_TCL_ASYNC; - } else { - statePtr->flags &= ~(TLS_TCL_ASYNC); - } - - return(0); -} - -/* - *------------------------------------------------------------------- - * - * TlsCloseProc -- - * - * This procedure is invoked by the generic IO level to perform - * channel-type-specific cleanup when a SSL socket based channel - * is closed. - * - * Note: we leave the underlying socket alone, is this right? - * - * Results: - * 0 if successful, the value of Tcl_GetErrno() if failed. - * - * Side effects: - * Closes the socket of the channel. - * - *------------------------------------------------------------------- - */ -static int TlsCloseProc(void *instanceData, TCL_UNUSED(Tcl_Interp *)) { - State *statePtr = (State *) instanceData; - - dprintf("TlsCloseProc(%p)", statePtr); - - Tls_Clean(statePtr); - Tcl_EventuallyFree(statePtr, Tls_Free); - - dprintf("Returning TCL_OK"); - - return(TCL_OK); -} - -static int TlsClose2Proc(void *instanceData, Tcl_Interp *interp, int flags) { - if (!(flags&(TCL_CLOSE_READ|TCL_CLOSE_WRITE))) { - return TlsCloseProc(instanceData, interp); - } - return EINVAL; -} - -/* - *------------------------------------------------------* - * - * Tls_WaitForConnect -- - * - * Sideeffects: - * Issues SSL_accept or SSL_connect - * - * Result: - * None. - * - *------------------------------------------------------* - */ -int Tls_WaitForConnect(State *statePtr, int *errorCodePtr, int handshakeFailureIsPermanent) { - unsigned long backingError; - int err, rc; - int bioShouldRetry; - - dprintf("WaitForConnect(%p)", statePtr); - dprintFlags(statePtr); - - if (!(statePtr->flags & TLS_TCL_INIT)) { - dprintf("Tls_WaitForConnect called on already initialized channel -- returning with immediate success"); - *errorCodePtr = 0; - return(0); - } - - if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) { - /* - * Different types of operations have different requirements - * SSL being established - */ - if (handshakeFailureIsPermanent) { - dprintf("Asked to wait for a TLS handshake that has already failed. Returning fatal error"); - *errorCodePtr = ECONNABORTED; - } else { - dprintf("Asked to wait for a TLS handshake that has already failed. Returning soft error"); - *errorCodePtr = ECONNRESET; - } - return(-1); - } - - for (;;) { - /* Not initialized yet! */ - if (statePtr->flags & TLS_TCL_SERVER) { - dprintf("Calling SSL_accept()"); - - err = SSL_accept(statePtr->ssl); - } else { - dprintf("Calling SSL_connect()"); - - err = SSL_connect(statePtr->ssl); - } - - if (err > 0) { - dprintf("That seems to have gone okay"); - - err = BIO_flush(statePtr->bio); - - if (err <= 0) { - dprintf("Flushing the lower layers failed, this will probably terminate this session"); - } - } - - rc = SSL_get_error(statePtr->ssl, err); - - dprintf("Got error: %i (rc = %i)", err, rc); - - bioShouldRetry = 0; - if (err <= 0) { - if (rc == SSL_ERROR_WANT_CONNECT || rc == SSL_ERROR_WANT_ACCEPT || rc == SSL_ERROR_WANT_READ || rc == SSL_ERROR_WANT_WRITE) { - bioShouldRetry = 1; - } else if (BIO_should_retry(statePtr->bio)) { - bioShouldRetry = 1; - } else if (rc == SSL_ERROR_SYSCALL && Tcl_GetErrno() == EAGAIN) { - bioShouldRetry = 1; - } - } else { - if (!SSL_is_init_finished(statePtr->ssl)) { - bioShouldRetry = 1; - } - } - - if (bioShouldRetry) { - dprintf("The I/O did not complete -- but we should try it again"); - - if (statePtr->flags & TLS_TCL_ASYNC) { - dprintf("Returning EAGAIN so that it can be retried later"); - - *errorCodePtr = EAGAIN; - - return(-1); - } else { - dprintf("Doing so now"); - - continue; - } - } - - dprintf("We have either completely established the session or completely failed it -- there is no more need to ever retry it though"); - break; - } - - - *errorCodePtr = EINVAL; - - switch (rc) { - case SSL_ERROR_NONE: - /* The connection is up, we are done here */ - dprintf("The connection is up"); - break; - case SSL_ERROR_ZERO_RETURN: - dprintf("SSL_ERROR_ZERO_RETURN: Connect returned an invalid value...") - return(-1); - case SSL_ERROR_SYSCALL: - backingError = ERR_get_error(); - - if (backingError == 0 && err == 0) { - dprintf("EOF reached") - *errorCodePtr = ECONNRESET; - } else if (backingError == 0 && err == -1) { - dprintf("I/O error occured (errno = %lu)", (unsigned long) Tcl_GetErrno()); - *errorCodePtr = Tcl_GetErrno(); - if (*errorCodePtr == ECONNRESET) { - *errorCodePtr = ECONNABORTED; - } - } else { - dprintf("I/O error occured (backingError = %lu)", backingError); - *errorCodePtr = backingError; - if (*errorCodePtr == ECONNRESET) { - *errorCodePtr = ECONNABORTED; - } - } - - statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; - - return(-1); - case SSL_ERROR_SSL: - dprintf("Got permanent fatal SSL error, aborting immediately"); - Tls_Error(statePtr, (char *)ERR_reason_error_string(ERR_get_error())); - statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; - *errorCodePtr = ECONNABORTED; - return(-1); - case SSL_ERROR_WANT_CONNECT: - case SSL_ERROR_WANT_ACCEPT: - case SSL_ERROR_WANT_X509_LOOKUP: - default: - dprintf("We got a confusing reply: %i", rc); - *errorCodePtr = Tcl_GetErrno(); - dprintf("ERR(%d, %d) ", rc, *errorCodePtr); - return(-1); - } - -#if 0 - if (statePtr->flags & TLS_TCL_SERVER) { - dprintf("This is an TLS server, checking the certificate for the peer"); - - err = SSL_get_verify_result(statePtr->ssl); - if (err != X509_V_OK) { - dprintf("Invalid certificate, returning in failure"); - - Tls_Error(statePtr, (char *)X509_verify_cert_error_string(err)); - statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED; - *errorCodePtr = ECONNABORTED; - return(-1); - } - } -#endif - - dprintf("Removing the \"TLS_TCL_INIT\" flag since we have completed the handshake"); - statePtr->flags &= ~TLS_TCL_INIT; - - dprintf("Returning in success"); - *errorCodePtr = 0; - - return(0); -} - -/* - *------------------------------------------------------------------- - * - * TlsInputProc -- - * - * This procedure is invoked by the generic IO level - * to read input from a SSL socket based channel. - * - * Results: - * The number of bytes read is returned or -1 on error. An output - * argument contains the POSIX error code on error, or zero if no - * error occurred. - * - * Side effects: - * Reads input from the input device of the channel. - * - *------------------------------------------------------------------- - */ - -static int TlsInputProc(void *instanceData, char *buf, int bufSize, int *errorCodePtr) { - unsigned long backingError; - State *statePtr = (State *) instanceData; - int bytesRead; - int tlsConnect; - int err; - - *errorCodePtr = 0; - - dprintf("BIO_read(%d)", bufSize); - - if (statePtr->flags & TLS_TCL_CALLBACK) { - /* don't process any bytes while verify callback is running */ - dprintf("Callback is running, reading 0 bytes"); - return(0); - } - - dprintf("Calling Tls_WaitForConnect"); - tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 0); - if (tlsConnect < 0) { - dprintf("Got an error waiting to connect (tlsConnect = %i, *errorCodePtr = %i)", tlsConnect, *errorCodePtr); - - bytesRead = -1; - if (*errorCodePtr == ECONNRESET) { - dprintf("Got connection reset"); - /* Soft EOF */ - *errorCodePtr = 0; - bytesRead = 0; - } - - return(bytesRead); - } - - /* - * We need to clear the SSL error stack now because we sometimes reach - * this function with leftover errors in the stack. If BIO_read - * returns -1 and intends EAGAIN, there is a leftover error, it will be - * misconstrued as an error, not EAGAIN. - * - * Alternatively, we may want to handle the <0 return codes from - * BIO_read specially (as advised in the RSA docs). TLS's lower level BIO - * functions play with the retry flags though, and this seems to work - * correctly. Similar fix in TlsOutputProc. - hobbs - */ - ERR_clear_error(); - bytesRead = BIO_read(statePtr->bio, buf, bufSize); - dprintf("BIO_read -> %d", bytesRead); - - err = SSL_get_error(statePtr->ssl, bytesRead); - -#if 0 - if (bytesRead <= 0) { - if (BIO_should_retry(statePtr->bio)) { - dprintf("I/O failed, will retry based on EAGAIN"); - *errorCodePtr = EAGAIN; - } - } -#endif - - switch (err) { - case SSL_ERROR_NONE: - dprintBuffer(buf, bytesRead); - break; - case SSL_ERROR_SSL: - dprintf("SSL negotiation error, indicating that the connection has been aborted"); - - Tls_Error(statePtr, TCLTLS_SSL_ERROR(statePtr->ssl, bytesRead)); - *errorCodePtr = ECONNABORTED; - bytesRead = -1; - - break; - case SSL_ERROR_SYSCALL: - backingError = ERR_get_error(); - - if (backingError == 0 && bytesRead == 0) { - dprintf("EOF reached") - *errorCodePtr = 0; - bytesRead = 0; - } else if (backingError == 0 && bytesRead == -1) { - dprintf("I/O error occured (errno = %lu)", (unsigned long) Tcl_GetErrno()); - *errorCodePtr = Tcl_GetErrno(); - bytesRead = -1; - } else { - dprintf("I/O error occured (backingError = %lu)", backingError); - *errorCodePtr = backingError; - bytesRead = -1; - } - - break; - case SSL_ERROR_ZERO_RETURN: - dprintf("Got SSL_ERROR_ZERO_RETURN, this means an EOF has been reached"); - bytesRead = 0; - *errorCodePtr = 0; - break; - case SSL_ERROR_WANT_READ: - dprintf("Got SSL_ERROR_WANT_READ, mapping this to EAGAIN"); - bytesRead = -1; - *errorCodePtr = EAGAIN; - break; - default: - dprintf("Unknown error (err = %i), mapping to EOF", err); - *errorCodePtr = 0; - bytesRead = 0; - break; - } - - dprintf("Input(%d) -> %d [%d]", bufSize, bytesRead, *errorCodePtr); - return(bytesRead); -} - -/* - *------------------------------------------------------------------- - * - * TlsOutputProc -- - * - * This procedure is invoked by the generic IO level - * to write output to a SSL socket based channel. - * - * Results: - * The number of bytes written is returned. An output argument is - * set to a POSIX error code if an error occurred, or zero. - * - * Side effects: - * Writes output on the output device of the channel. - * - *------------------------------------------------------------------- - */ - -static int TlsOutputProc(void *instanceData, const char *buf, int toWrite, int *errorCodePtr) { - unsigned long backingError; - State *statePtr = (State *) instanceData; - int written, err; - int tlsConnect; - - *errorCodePtr = 0; - - dprintf("BIO_write(%p, %d)", (void *) statePtr, toWrite); - dprintBuffer(buf, toWrite); - - if (statePtr->flags & TLS_TCL_CALLBACK) { - dprintf("Don't process output while callbacks are running") - written = -1; - *errorCodePtr = EAGAIN; - return(-1); - } - - dprintf("Calling Tls_WaitForConnect"); - tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 1); - if (tlsConnect < 0) { - dprintf("Got an error waiting to connect (tlsConnect = %i, *errorCodePtr = %i)", tlsConnect, *errorCodePtr); - - written = -1; - if (*errorCodePtr == ECONNRESET) { - dprintf("Got connection reset"); - /* Soft EOF */ - *errorCodePtr = 0; - written = 0; - } - - return(written); - } - - if (toWrite == 0) { - dprintf("zero-write"); - err = BIO_flush(statePtr->bio); - - if (err <= 0) { - dprintf("Flushing failed"); - - *errorCodePtr = EIO; - written = 0; - return(-1); - } - - written = 0; - *errorCodePtr = 0; - return(0); - } - - /* - * We need to clear the SSL error stack now because we sometimes reach - * this function with leftover errors in the stack. If BIO_write - * returns -1 and intends EAGAIN, there is a leftover error, it will be - * misconstrued as an error, not EAGAIN. - * - * Alternatively, we may want to handle the <0 return codes from - * BIO_write specially (as advised in the RSA docs). TLS's lower level - * BIO functions play with the retry flags though, and this seems to - * work correctly. Similar fix in TlsInputProc. - hobbs - */ - ERR_clear_error(); - written = BIO_write(statePtr->bio, buf, toWrite); - dprintf("BIO_write(%p, %d) -> [%d]", (void *) statePtr, toWrite, written); - - err = SSL_get_error(statePtr->ssl, written); - switch (err) { - case SSL_ERROR_NONE: - if (written < 0) { - written = 0; - } - break; - case SSL_ERROR_WANT_WRITE: - dprintf("Got SSL_ERROR_WANT_WRITE, mapping it to EAGAIN"); - *errorCodePtr = EAGAIN; - written = -1; - break; - case SSL_ERROR_WANT_READ: - dprintf(" write R BLOCK"); - break; - case SSL_ERROR_WANT_X509_LOOKUP: - dprintf(" write X BLOCK"); - break; - case SSL_ERROR_ZERO_RETURN: - dprintf(" closed"); - written = 0; - *errorCodePtr = 0; - break; - case SSL_ERROR_SYSCALL: - backingError = ERR_get_error(); - - if (backingError == 0 && written == 0) { - dprintf("EOF reached") - *errorCodePtr = 0; - written = 0; - } else if (backingError == 0 && written == -1) { - dprintf("I/O error occured (errno = %lu)", (unsigned long) Tcl_GetErrno()); - *errorCodePtr = Tcl_GetErrno(); - written = -1; - } else { - dprintf("I/O error occured (backingError = %lu)", backingError); - *errorCodePtr = backingError; - written = -1; - } - - break; - case SSL_ERROR_SSL: - Tls_Error(statePtr, TCLTLS_SSL_ERROR(statePtr->ssl, written)); - *errorCodePtr = ECONNABORTED; - written = -1; - break; - default: - dprintf(" unknown err: %d", err); - break; - } - - dprintf("Output(%d) -> %d", toWrite, written); - return(written); -} - -/* - *------------------------------------------------------------------- - * - * TlsGetOptionProc -- - * - * Computes an option value for a SSL socket based channel, or a - * list of all options and their values. - * - * Results: - * A standard Tcl result. The value of the specified option or a - * list of all options and their values is returned in the - * supplied DString. - * - * Side effects: - * None. - * - *------------------------------------------------------------------- - */ -static int -TlsGetOptionProc(void *instanceData, /* Socket state. */ - Tcl_Interp *interp, /* For errors - can be NULL. */ - const char *optionName, /* Name of the option to - * retrieve the value for, or - * NULL to get all options and - * their values. */ - Tcl_DString *dsPtr) /* Where to store the computed value - * initialized by caller. */ -{ - State *statePtr = (State *) instanceData; - - Tcl_Channel downChan = Tls_GetParent(statePtr, TLS_TCL_FASTPATH); - Tcl_DriverGetOptionProc *getOptionProc; - - getOptionProc = Tcl_ChannelGetOptionProc(Tcl_GetChannelType(downChan)); - if (getOptionProc != NULL) { - return (*getOptionProc)(Tcl_GetChannelInstanceData(downChan), interp, optionName, dsPtr); - } else if (optionName == (char*) NULL) { - /* - * Request is query for all options, this is ok. - */ - return TCL_OK; - } - /* - * Request for a specific option has to fail, we don't have any. - */ - return TCL_ERROR; -} - -/* - *------------------------------------------------------------------- - * - * TlsWatchProc -- - * - * Initialize the notifier to watch Tcl_Files from this channel. - * - * Results: - * None. - * - * Side effects: - * Sets up the notifier so that a future event on the channel - * will be seen by Tcl. - * - *------------------------------------------------------------------- - */ - -static void -TlsWatchProc(void *instanceData, /* The socket state. */ - int mask) /* Events of interest; an OR-ed - * combination of TCL_READABLE, - * TCL_WRITABLE and TCL_EXCEPTION. */ -{ - Tcl_Channel downChan; - State *statePtr = (State *) instanceData; - - dprintf("TlsWatchProc(0x%x)", mask); - - /* Pretend to be dead as long as the verify callback is running. - * Otherwise that callback could be invoked recursively. */ - if (statePtr->flags & TLS_TCL_CALLBACK) { - dprintf("Callback is on-going, doing nothing"); - return; - } - - dprintFlags(statePtr); - - downChan = Tls_GetParent(statePtr, TLS_TCL_FASTPATH); - - if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) { - dprintf("Asked to watch a socket with a failed handshake -- nothing can happen here"); - - dprintf("Unregistering interest in the lower channel"); - (Tcl_GetChannelType(downChan))->watchProc(Tcl_GetChannelInstanceData(downChan), 0); - - statePtr->watchMask = 0; - - return; - } - - statePtr->watchMask = mask; - - /* No channel handlers any more. We will be notified automatically - * about events on the channel below via a call to our - * 'TransformNotifyProc'. But we have to pass the interest down now. - * We are allowed to add additional 'interest' to the mask if we want - * to. But this transformation has no such interest. It just passes - * the request down, unchanged. - */ - - - dprintf("Registering our interest in the lower channel (chan=%p)", (void *) downChan); - (Tcl_GetChannelType(downChan)) - ->watchProc(Tcl_GetChannelInstanceData(downChan), mask); - - /* - * Management of the internal timer. - */ - - if (statePtr->timer != (Tcl_TimerToken) NULL) { - dprintf("A timer was found, deleting it"); - Tcl_DeleteTimerHandler(statePtr->timer); - statePtr->timer = (Tcl_TimerToken) NULL; - } - - if (mask & TCL_READABLE) { - if (Tcl_InputBuffered(statePtr->self) > 0 || BIO_ctrl_pending(statePtr->bio) > 0) { - /* - * There is interest in readable events and we actually have - * data waiting, so generate a timer to flush that. - */ - dprintf("Creating a new timer since data appears to be waiting"); - statePtr->timer = Tcl_CreateTimerHandler(TLS_TCL_DELAY, TlsChannelHandlerTimer, statePtr); - } - } -} - -/* - *------------------------------------------------------------------- - * - * TlsGetHandleProc -- - * - * Called from Tcl_GetChannelFile to retrieve o/s file handler - * from the SSL socket based channel. - * - * Results: - * The appropriate Tcl_File or NULL if not present. - * - * Side effects: - * None. - * - *------------------------------------------------------------------- - */ -static int TlsGetHandleProc(void *instanceData, int direction, void **handlePtr) { - State *statePtr = (State *) instanceData; - - return(Tcl_GetChannelHandle(Tls_GetParent(statePtr, TLS_TCL_FASTPATH), direction, handlePtr)); -} - -/* - *------------------------------------------------------------------- - * - * TlsNotifyProc -- - * - * Handler called by Tcl to inform us of activity - * on the underlying channel. - * - * Results: - * None. - * - * Side effects: - * May process the incoming event by itself. - * - *------------------------------------------------------------------- - */ - -static int TlsNotifyProc(void *instanceData, int mask) { - State *statePtr = (State *) instanceData; - int errorCode; - - /* - * An event occured in the underlying channel. This - * transformation doesn't process such events thus returns the - * incoming mask unchanged. - */ - if (statePtr->timer != (Tcl_TimerToken) NULL) { - /* - * Delete an existing timer. It was not fired, yet we are - * here, so the channel below generated such an event and we - * don't have to. The renewal of the interest after the - * execution of channel handlers will eventually cause us to - * recreate the timer (in WatchProc). - */ - Tcl_DeleteTimerHandler(statePtr->timer); - statePtr->timer = (Tcl_TimerToken) NULL; - } - - if (statePtr->flags & TLS_TCL_CALLBACK) { - dprintf("Returning 0 due to callback"); - return 0; - } - - dprintf("Calling Tls_WaitForConnect"); - errorCode = 0; - if (Tls_WaitForConnect(statePtr, &errorCode, 1) < 0) { - if (errorCode == EAGAIN) { - dprintf("Async flag could be set (didn't check) and errorCode == EAGAIN: Returning 0"); - - return 0; - } - - dprintf("Tls_WaitForConnect returned an error"); - } - - dprintf("Returning %i", mask); - - return(mask); -} - -#if 0 -/* - *------------------------------------------------------* - * - * TlsChannelHandler -- - * - * ------------------------------------------------* - * Handler called by Tcl as a result of - * Tcl_CreateChannelHandler - to inform us of activity - * on the underlying channel. - * ------------------------------------------------* - * - * Sideeffects: - * May generate subsequent calls to - * Tcl_NotifyChannel. - * - * Result: - * None. - * - *------------------------------------------------------* - */ - -static void -TlsChannelHandler (clientData, mask) - void * clientData; - int mask; -{ - State *statePtr = (State *) clientData; - - dprintf("HANDLER(0x%x)", mask); - Tcl_Preserve(statePtr); - - if (mask & TCL_READABLE) { - BIO_set_flags(statePtr->p_bio, BIO_FLAGS_READ); - } else { - BIO_clear_flags(statePtr->p_bio, BIO_FLAGS_READ); - } - - if (mask & TCL_WRITABLE) { - BIO_set_flags(statePtr->p_bio, BIO_FLAGS_WRITE); - } else { - BIO_clear_flags(statePtr->p_bio, BIO_FLAGS_WRITE); - } - - mask = 0; - if (BIO_wpending(statePtr->bio)) { - mask |= TCL_WRITABLE; - } - if (BIO_pending(statePtr->bio)) { - mask |= TCL_READABLE; - } - - /* - * The following NotifyChannel calls seems to be important, but - * we don't know why. It looks like if the mask is ever non-zero - * that it will enter an infinite loop. - * - * Notify the upper channel of the current BIO state so the event - * continues to propagate up the chain. - * - * stanton: It looks like this could result in an infinite loop if - * the upper channel doesn't cause ChannelHandler to be removed - * before Tcl_NotifyChannel calls channel handlers on the lower channel. - */ - - Tcl_NotifyChannel(statePtr->self, mask); - - if (statePtr->timer != (Tcl_TimerToken)NULL) { - Tcl_DeleteTimerHandler(statePtr->timer); - statePtr->timer = (Tcl_TimerToken)NULL; - } - if ((mask & TCL_READABLE) && Tcl_InputBuffered(statePtr->self) > 0) { - /* - * Data is waiting, flush it out in short time - */ - statePtr->timer = Tcl_CreateTimerHandler(TLS_TCL_DELAY, - TlsChannelHandlerTimer, statePtr); - } - Tcl_Release(statePtr); -} -#endif - -/* - *------------------------------------------------------* - * - * TlsChannelHandlerTimer -- - * - * ------------------------------------------------* - * Called by the notifier (-> timer) to flush out - * information waiting in channel buffers. - * ------------------------------------------------* - * - * Sideeffects: - * As of 'TlsChannelHandler'. - * - * Result: - * None. - * - *------------------------------------------------------* - */ - -static void TlsChannelHandlerTimer(void *clientData) { - State *statePtr = (State *) clientData; - int mask = 0; - - dprintf("Called"); - - statePtr->timer = (Tcl_TimerToken) NULL; - - if (BIO_wpending(statePtr->bio)) { - dprintf("[chan=%p] BIO writable", statePtr->self); - - mask |= TCL_WRITABLE; - } - - if (BIO_pending(statePtr->bio)) { - dprintf("[chan=%p] BIO readable", statePtr->self); - - mask |= TCL_READABLE; - } - - dprintf("Notifying ourselves"); - Tcl_NotifyChannel(statePtr->self, mask); - - dprintf("Returning"); - - return; -} - -Tcl_Channel Tls_GetParent(State *statePtr, int maskFlags) { - dprintf("Requested to get parent of channel %p", statePtr->self); - - if ((statePtr->flags & ~maskFlags) & TLS_TCL_FASTPATH) { - dprintf("Asked to get the parent channel while we are using FastPath -- returning NULL"); - return(NULL); - } - - return(Tcl_GetStackedChannel(statePtr->self)); -} DELETED tlsInt.h Index: tlsInt.h ================================================================== --- tlsInt.h +++ /dev/null @@ -1,198 +0,0 @@ -/* - * Copyright (C) 1997-2000 Matt Newman - * - * TLS (aka SSL) Channel - can be layered on any bi-directional - * Tcl_Channel (Note: Requires Trf Core Patch) - * - * This was built from scratch based upon observation of OpenSSL 0.9.2B - * - * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for - * providing the Tcl_ReplaceChannel mechanism and working closely with me - * to enhance it to support full fileevent semantics. - * - * Also work done by the follow people provided the impetus to do this "right":- - * tclSSL (Colin McCormack, Shared Technology) - * SSLtcl (Peter Antman) - * - */ -#ifndef _TLSINT_H -#define _TLSINT_H - -#include "tls.h" -#include -#include -#include - -#ifdef __WIN32__ -#define WIN32_LEAN_AND_MEAN -#include -#include /* OpenSSL needs this on Windows */ -#endif - -#ifdef NO_PATENTS -# define NO_IDEA -# define NO_RC2 -# define NO_RC4 -# define NO_RC5 -# define NO_RSA -# ifndef NO_SSL2 -# define NO_SSL2 -# endif -#endif - -#include -#include -#include -#include - -/* - * Determine if we should use the pre-OpenSSL 1.1.0 API - */ -#undef TCLTLS_OPENSSL_PRE_1_1 -#if (defined(LIBRESSL_VERSION_NUMBER)) || OPENSSL_VERSION_NUMBER < 0x10100000L -# define TCLTLS_OPENSSL_PRE_1_1_API 1 -#endif - -#ifndef ECONNABORTED -#define ECONNABORTED 130 /* Software caused connection abort */ -#endif -#ifndef ECONNRESET -#define ECONNRESET 131 /* Connection reset by peer */ -#endif - -#ifdef TCLEXT_TCLTLS_DEBUG -#include -#define dprintf(...) { \ - char dprintfBuffer[8192], *dprintfBuffer_p; \ - dprintfBuffer_p = &dprintfBuffer[0]; \ - dprintfBuffer_p += sprintf(dprintfBuffer_p, "%s:%i:%s():", __FILE__, __LINE__, __func__); \ - dprintfBuffer_p += sprintf(dprintfBuffer_p, __VA_ARGS__); \ - fprintf(stderr, "%s\n", dprintfBuffer); \ - } -#define dprintBuffer(bufferName, bufferLength) { \ - int dprintBufferIdx; \ - unsigned char dprintBufferChar; \ - fprintf(stderr, "%s:%i:%s():%s[%llu]={", __FILE__, __LINE__, __func__, #bufferName, (unsigned long long) bufferLength); \ - for (dprintBufferIdx = 0; dprintBufferIdx < bufferLength; dprintBufferIdx++) { \ - dprintBufferChar = bufferName[dprintBufferIdx]; \ - if (isalpha(dprintBufferChar) || isdigit(dprintBufferChar)) { \ - fprintf(stderr, "'%c' ", dprintBufferChar); \ - } else { \ - fprintf(stderr, "%02x ", (unsigned int) dprintBufferChar); \ - }; \ - }; \ - fprintf(stderr, "}\n"); \ - } -#define dprintFlags(statePtr) { \ - char dprintfBuffer[8192], *dprintfBuffer_p; \ - dprintfBuffer_p = &dprintfBuffer[0]; \ - dprintfBuffer_p += sprintf(dprintfBuffer_p, "%s:%i:%s():%s->flags=0", __FILE__, __LINE__, __func__, #statePtr); \ - if (((statePtr)->flags & TLS_TCL_ASYNC) == TLS_TCL_ASYNC) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_ASYNC"); }; \ - if (((statePtr)->flags & TLS_TCL_SERVER) == TLS_TCL_SERVER) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_SERVER"); }; \ - if (((statePtr)->flags & TLS_TCL_INIT) == TLS_TCL_INIT) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_INIT"); }; \ - if (((statePtr)->flags & TLS_TCL_DEBUG) == TLS_TCL_DEBUG) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_DEBUG"); }; \ - if (((statePtr)->flags & TLS_TCL_CALLBACK) == TLS_TCL_CALLBACK) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_CALLBACK"); }; \ - if (((statePtr)->flags & TLS_TCL_HANDSHAKE_FAILED) == TLS_TCL_HANDSHAKE_FAILED) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_HANDSHAKE_FAILED"); }; \ - if (((statePtr)->flags & TLS_TCL_FASTPATH) == TLS_TCL_FASTPATH) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_FASTPATH"); }; \ - fprintf(stderr, "%s\n", dprintfBuffer); \ - } -#else -#define dprintf(...) if (0) { fprintf(stderr, __VA_ARGS__); } -#define dprintBuffer(bufferName, bufferLength) /**/ -#define dprintFlags(statePtr) /**/ -#endif - -#define TCLTLS_SSL_ERROR(ssl,err) ((char*)ERR_reason_error_string((unsigned long)SSL_get_error((ssl),(err)))) -/* - * OpenSSL BIO Routines - */ -#define BIO_TYPE_TCL (19|0x0400) - -/* - * Defines for State.flags - */ -#define TLS_TCL_ASYNC (1<<0) /* non-blocking mode */ -#define TLS_TCL_SERVER (1<<1) /* Server-Side */ -#define TLS_TCL_INIT (1<<2) /* Initializing connection */ -#define TLS_TCL_DEBUG (1<<3) /* Show debug tracing */ -#define TLS_TCL_CALLBACK (1<<4) /* In a callback, prevent update - * looping problem. [Bug 1652380] */ -#define TLS_TCL_HANDSHAKE_FAILED (1<<5) /* Set on handshake failures and once - * set, all further I/O will result - * in ECONNABORTED errors. */ -#define TLS_TCL_FASTPATH (1<<6) /* The parent channel is being used directly by the SSL library */ -#define TLS_TCL_DELAY (5) - -/* - * This structure describes the per-instance state - * of an ssl channel. - * - * The SSL processing context is maintained here, in the ClientData - */ -typedef struct State { - Tcl_Channel self; /* this socket channel */ - Tcl_TimerToken timer; - - int flags; /* see State.flags above */ - int watchMask; /* current WatchProc mask */ - int mode; /* current mode of parent channel */ - - Tcl_Interp *interp; /* interpreter in which this resides */ - Tcl_Obj *callback; /* script called for tracing, verifying and errors */ - Tcl_Obj *password; /* script called for certificate password */ - - int vflags; /* verify flags */ - SSL *ssl; /* Struct for SSL processing */ - SSL_CTX *ctx; /* SSL Context */ - BIO *bio; /* Struct for SSL processing */ - BIO *p_bio; /* Parent BIO (that is layered on Tcl_Channel) */ - - const char *err; -} State; - -#ifdef USE_TCL_STUBS -#ifndef Tcl_StackChannel -#error "Unable to compile on this version of Tcl" -#endif /* Tcl_GetStackedChannel */ -#endif /* USE_TCL_STUBS */ - -#ifndef JOIN -# define JOIN(a,b) JOIN1(a,b) -# define JOIN1(a,b) a##b -#endif - -#ifndef TCL_UNUSED -# if defined(__cplusplus) -# define TCL_UNUSED(T) T -# elif defined(__GNUC__) && (__GNUC__ > 2) -# define TCL_UNUSED(T) T JOIN(dummy, __LINE__) __attribute__((unused)) -# else -# define TCL_UNUSED(T) T JOIN(dummy, __LINE__) -# endif -#endif - -#if (TCL_MAJOR_VERSION < 9) && defined(TCL_MINOR_VERSION) && (TCL_MINOR_VERSION < 7) && !defined(Tcl_Size) -# define Tcl_Size int -#endif - -/* - * Forward declarations - */ -const Tcl_ChannelType *Tls_ChannelType(void); -Tcl_Channel Tls_GetParent(State *statePtr, int maskFlags); - -Tcl_Obj *Tls_NewX509Obj(Tcl_Interp *interp, X509 *cert); -void Tls_Error(State *statePtr, char *msg); -#if TCL_MAJOR_VERSION > 8 -void Tls_Free(void *blockPtr); -#else -void Tls_Free(char *blockPtr); -#endif -void Tls_Clean(State *statePtr); -int Tls_WaitForConnect(State *statePtr, int *errorCodePtr, int handshakeFailureIsPermanent); - -BIO *BIO_new_tcl(State* statePtr, int flags); - -#define PTR2INT(x) ((int) ((intptr_t) (x))) - -#endif /* _TLSINT_H */ DELETED tlsX509.c Index: tlsX509.c ================================================================== --- tlsX509.c +++ /dev/null @@ -1,209 +0,0 @@ -/* - * Copyright (C) 1997-2000 Sensus Consulting Ltd. - * Matt Newman - */ -#include "tlsInt.h" - -/* - * Ensure these are not macros - known to be defined on Win32 - */ -#ifdef min -#undef min -#endif - -#ifdef max -#undef max -#endif - -static int min(int a, int b) -{ - return (a < b) ? a : b; -} - -static int max(int a, int b) -{ - return (a > b) ? a : b; -} - -/* - * ASN1_UTCTIME_tostr -- - */ -static char * -ASN1_UTCTIME_tostr(ASN1_UTCTIME *tm) -{ - static char bp[128]; - char *v; - int gmt=0; - static char *mon[12]={ - "Jan","Feb","Mar","Apr","May","Jun", - "Jul","Aug","Sep","Oct","Nov","Dec"}; - int i; - int y=0,M=0,d=0,h=0,m=0,s=0; - - i=tm->length; - v=(char *)tm->data; - - if (i < 10) goto err; - if (v[i-1] == 'Z') gmt=1; - for (i=0; i<10; i++) - if ((v[i] > '9') || (v[i] < '0')) goto err; - y= (v[0]-'0')*10+(v[1]-'0'); - if (y < 70) y+=100; - M= (v[2]-'0')*10+(v[3]-'0'); - if ((M > 12) || (M < 1)) goto err; - d= (v[4]-'0')*10+(v[5]-'0'); - h= (v[6]-'0')*10+(v[7]-'0'); - m= (v[8]-'0')*10+(v[9]-'0'); - if ( (v[10] >= '0') && (v[10] <= '9') && - (v[11] >= '0') && (v[11] <= '9')) - s= (v[10]-'0')*10+(v[11]-'0'); - - sprintf(bp,"%s %2d %02d:%02d:%02d %d%s", - mon[M-1],d,h,m,s,y+1900,(gmt)?" GMT":""); - return bp; - err: - return "Bad time value"; -} - -/* - *------------------------------------------------------* - * - * Tls_NewX509Obj -- - * - * ------------------------------------------------* - * Converts a X509 certificate into a Tcl_Obj - * ------------------------------------------------* - * - * Sideeffects: - * None - * - * Result: - * A Tcl List Object representing the provided - * X509 certificate. - * - *------------------------------------------------------* - */ - -#define CERT_STR_SIZE 16384 - -Tcl_Obj* -Tls_NewX509Obj( interp, cert) - Tcl_Interp *interp; - X509 *cert; -{ - Tcl_Obj *certPtr = Tcl_NewListObj( 0, NULL); - BIO *bio; - int n; - unsigned long flags; - char subject[BUFSIZ]; - char issuer[BUFSIZ]; - char serial[BUFSIZ]; - char notBefore[BUFSIZ]; - char notAfter[BUFSIZ]; - char certStr[CERT_STR_SIZE], *certStr_p; - int certStr_len, toRead; -#ifndef NO_SSL_SHA - int shai; - char sha_hash_ascii[SHA_DIGEST_LENGTH * 2 + 1]; - unsigned char sha_hash_binary[SHA_DIGEST_LENGTH]; - const char *shachars="0123456789ABCDEF"; - - sha_hash_ascii[SHA_DIGEST_LENGTH * 2] = '\0'; -#endif - - certStr[0] = 0; - if ((bio = BIO_new(BIO_s_mem())) == NULL) { - subject[0] = 0; - issuer[0] = 0; - serial[0] = 0; - } else { - flags = XN_FLAG_RFC2253 | ASN1_STRFLGS_UTF8_CONVERT; - flags &= ~ASN1_STRFLGS_ESC_MSB; - - X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, flags); - n = BIO_read(bio, subject, min(BIO_pending(bio), BUFSIZ - 1)); - n = max(n, 0); - subject[n] = 0; - (void)BIO_flush(bio); - - X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0, flags); - n = BIO_read(bio, issuer, min(BIO_pending(bio), BUFSIZ - 1)); - n = max(n, 0); - issuer[n] = 0; - (void)BIO_flush(bio); - - i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)); - n = BIO_read(bio, serial, min(BIO_pending(bio), BUFSIZ - 1)); - n = max(n, 0); - serial[n] = 0; - (void)BIO_flush(bio); - - if (PEM_write_bio_X509(bio, cert)) { - certStr_p = certStr; - certStr_len = 0; - while (1) { - toRead = min(BIO_pending(bio), CERT_STR_SIZE - certStr_len - 1); - toRead = min(toRead, BUFSIZ); - if (toRead == 0) { - break; - } - dprintf("Reading %i bytes from the certificate...", toRead); - n = BIO_read(bio, certStr_p, toRead); - if (n <= 0) { - break; - } - certStr_len += n; - certStr_p += n; - } - *certStr_p = '\0'; - (void)BIO_flush(bio); - } - - BIO_free(bio); - } - - strcpy( notBefore, ASN1_UTCTIME_tostr( X509_get_notBefore(cert) )); - strcpy( notAfter, ASN1_UTCTIME_tostr( X509_get_notAfter(cert) )); - -#ifndef NO_SSL_SHA - X509_digest(cert, EVP_sha1(), sha_hash_binary, NULL); - for (shai = 0; shai < SHA_DIGEST_LENGTH; shai++) { - sha_hash_ascii[shai * 2] = shachars[(sha_hash_binary[shai] & 0xF0) >> 4]; - sha_hash_ascii[shai * 2 + 1] = shachars[(sha_hash_binary[shai] & 0x0F)]; - } - Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj("sha1_hash", -1) ); - Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj(sha_hash_ascii, SHA_DIGEST_LENGTH * 2) ); - -#endif - Tcl_ListObjAppendElement( interp, certPtr, - Tcl_NewStringObj( "subject", -1) ); - Tcl_ListObjAppendElement( interp, certPtr, - Tcl_NewStringObj( subject, -1) ); - - Tcl_ListObjAppendElement( interp, certPtr, - Tcl_NewStringObj( "issuer", -1) ); - Tcl_ListObjAppendElement( interp, certPtr, - Tcl_NewStringObj( issuer, -1) ); - - Tcl_ListObjAppendElement( interp, certPtr, - Tcl_NewStringObj( "notBefore", -1) ); - Tcl_ListObjAppendElement( interp, certPtr, - Tcl_NewStringObj( notBefore, -1) ); - - Tcl_ListObjAppendElement( interp, certPtr, - Tcl_NewStringObj( "notAfter", -1) ); - Tcl_ListObjAppendElement( interp, certPtr, - Tcl_NewStringObj( notAfter, -1) ); - - Tcl_ListObjAppendElement( interp, certPtr, - Tcl_NewStringObj( "serial", -1) ); - Tcl_ListObjAppendElement( interp, certPtr, - Tcl_NewStringObj( serial, -1) ); - - Tcl_ListObjAppendElement( interp, certPtr, - Tcl_NewStringObj( "certificate", -1) ); - Tcl_ListObjAppendElement( interp, certPtr, - Tcl_NewStringObj( certStr, -1) ); - - return certPtr; -} Index: win/makefile.vc ================================================================== --- win/makefile.vc +++ win/makefile.vc @@ -1,32 +1,70 @@ -# call nmake with additional parameter SSL_INSTALL_FOLDER= with the -# OpenSSL instalation folder following. - -PROJECT=tls -DOTVERSION = 1.8.0 - -PRJLIBNAME = $(PROJECT)$(VERSION)$(SUFX).$(EXT) -PRJLIB = $(OUT_DIR)\$(PRJLIBNAME) +#------------------------------------------------------------- -*- makefile -*- +# +# Makefile for TclTLS extensions. +# +# Basic build, test and install +# nmake /f makefile.vc INSTALLDIR=c:\path\to\tcl +# nmake /f makefile.vc INSTALLDIR=c:\path\to\tcl test +# nmake /f makefile.vc INSTALLDIR=c:\path\to\tcl install +# +# For other build options (debug, static etc.), +# See TIP 477 (https://core.tcl-lang.org/tips/doc/main/tip/477.md) for +# detailed documentation. +# +# See the file "license.terms" for information on usage and redistribution +# of this file, and for a DISCLAIMER OF ALL WARRANTIES. +# +#------------------------------------------------------------------------------ + +# The name of the package +PROJECT=tls !include "rules-ext.vc" -PRJ_INCLUDES = -I"$(SSL_INSTALL_FOLDER)\include" -PRJ_DEFINES = -D NO_SSL2 -D NO_SSL3 -D _CRT_SECURE_NO_WARNINGS +# Define the object files and resource file that make up the extension. +# Note the resource file does not makes sense if doing a static library build +# hence it is under that condition. TMP_DIR is the output directory +# defined by rules for object files. +PRJ_OBJS = $(TMP_DIR)\tls.obj \ + $(TMP_DIR)\tlsBIO.obj \ + $(TMP_DIR)\tlsIO.obj \ + $(TMP_DIR)\tlsX509.obj + +# Define any additional project include flags +# SSL_INSTALL_FOLDER = with the OpenSSL installation folder following. +PRJ_INCLUDES = -I"$(SSL_INSTALL_FOLDER)\include" -I"$(OPENSSL_INSTALL_DIR)\include" +# Define any additional compiler flags that might be required for the project +PRJ_DEFINES = -D NO_SSL2 -D NO_SSL3 -D _CRT_SECURE_NO_WARNINGS + +# SSL Libs: +# 1. ${LIBCRYPTO}.dll +# 2. ${LIBSSL}.dll +# Where LIBCRYPTO (#1.) and LIBSSL (#2.) are defined as follows: +# v1.1: libcrypto-1.1-x64.dll and libssl-1.1-x64.dll +# v3: libcrypto-3-x64.dll and libssl-3-x64.dll +# On *nix libcrypto.so.* and libssl.so.* (where suffix is a version indicator). +# PRJ_LIBS = \ "$(SSL_INSTALL_FOLDER)\lib\libssl.lib" \ "$(SSL_INSTALL_FOLDER)\lib\libcrypto.lib" \ - WS2_32.LIB GDI32.LIB ADVAPI32.LIB CRYPT32.LIB USER32.LIB - - -PRJ_OBJS = $(TMP_DIR)\tls.obj \ - $(TMP_DIR)\tlsBIO.obj \ - $(TMP_DIR)\tlsIO.obj \ - $(TMP_DIR)\tlsX509.obj - + WS2_32.LIB GDI32.LIB ADVAPI32.LIB CRYPT32.LIB USER32.LIB + +# Define the standard targets !include "targets.vc" +# Project specific targets + +# We must define a pkgindex target that will create a pkgIndex.tcl +# file in the $(OUT_DIR) directory. We can just redirect to the +# default-pkgindex target for our sample extension. pkgindex: default-pkgindex -install: - copy "$(SSL_INSTALL_FOLDER)\bin\libcrypto-3-x64.dll" "$(INSTALLDIR)\$(PROJECT)$(DOTVERSION)\libcrypto-3-x64.dll" - copy "$(SSL_INSTALL_FOLDER)\bin\libssl-3-x64.dll" "$(INSTALLDIR)\$(PROJECT)$(DOTVERSION)\libssl-3-x64.dll" + +# The default install target only installs binaries and scripts so add +# an additional target for our documentation. Note this *adds* a target +# since no commands are listed after it. The original targets for +# install (from targets.vc) will remain. +install: default-pkgindex-tea default-install default-install-docs-html +# Test package +test: default-test