Check-in [569c10f3b2]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Added remaining TLSv1.3 support
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | enhancement/tls-1.3
Files: files | file ages | folders
SHA3-256:569c10f3b208df3bfa817f9cfdeab536bdda5dca9163076149dc39ce118ebddf
User & Date: rkeene 2019-04-09 17:04:08
Context
2019-04-09
17:55
Merged in TLS 1.3 support check-in: 737b9c0d46 user: rkeene tags: trunk
17:04
Added remaining TLSv1.3 support Closed-Leaf check-in: 569c10f3b2 user: rkeene tags: enhancement/tls-1.3
2018-11-08
00:23
Note that TLSv1.3 is a lot different in API, this branch is incomplete check-in: 7978a539fc user: rkeene tags: enhancement/tls-1.3
Changes

Changes to aclocal/tcltls_openssl.m4.

     1      1   dnl $1 = Name of variable
     2      2   dnl $2 = Name of function to check for
     3      3   dnl $3 = Name of protocol
     4      4   dnl $4 = Name of CPP macro to define
            5  +dnl $5 = Name of CPP macro to check for instead of a function
     5      6   AC_DEFUN([TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER], [
     6      7   	dnl Determine if particular SSL version is enabled
     7      8   	if test "[$]$1" = "true" -o "[$]$1" = "force"; then
     8         -		AC_CHECK_FUNC($2,, [
            9  +		proto_check='true'
           10  +		ifelse($5,, [
           11  +			AC_CHECK_FUNC($2,, [
           12  +				proto_check='false'
           13  +			])
           14  +		], [
           15  +			AC_LANG_PUSH(C)
           16  +			AC_MSG_CHECKING([for $3 protocol support])
           17  +			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
           18  +#include <openssl/ssl.h>
           19  +#include <openssl/opensslv.h>
           20  +#if (SSLEAY_VERSION_NUMBER >= 0x0907000L)
           21  +# include <openssl/conf.h>
           22  +#endif
           23  +			], [
           24  +int x = $5;
           25  +			])], [
           26  +				AC_MSG_RESULT([yes])
           27  +			], [
           28  +				AC_MSG_RESULT([no])
           29  +
           30  +				proto_check='false'
           31  +			])
           32  +			AC_LANG_POP([C])
           33  +		])
           34  +
           35  +		if test "$proto_check" = 'false'; then
     9     36   			if test "[$]$1" = "force"; then
    10     37   				AC_MSG_ERROR([Unable to enable $3])
    11     38   			fi
    12     39   
    13     40   			$1='false'
    14         -		])
           41  +		fi
    15     42   	fi
    16     43   
    17     44   	if test "[$]$1" = "false"; then
    18     45   		AC_DEFINE($4, [1], [Define this to disable $3 in OpenSSL support])
    19     46   	fi
    20     47   
    21     48   ])
................................................................................
   151    178   		AC_MSG_RESULT([yes])
   152    179   	], [
   153    180   		AC_MSG_RESULT([no])
   154    181   		AC_MSG_ERROR([Unable to compile a basic program using OpenSSL])
   155    182   	])
   156    183   	AC_LANG_POP([C])
   157    184   
          185  +	AC_CHECK_FUNCS([TLS_method])
   158    186   	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl2], [SSLv2_method], [sslv2], [NO_SSL2])
   159    187   	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl3], [SSLv3_method], [sslv3], [NO_SSL3])
   160    188   	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_0], [TLSv1_method], [tlsv1.0], [NO_TLS1])
   161    189   	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_1], [TLSv1_1_method], [tlsv1.1], [NO_TLS1_1])
   162    190   	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_2], [TLSv1_2_method], [tlsv1.2], [NO_TLS1_2])
   163         -
   164         -	dnl XXX:TODO: Note that OpenSSL 1.1.1 does not export this, still need to figure out how to
   165         -	dnl talk only TLSv1.3
   166         -	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_3], [TLSv1_3_method], [tlsv1.3], [NO_TLS1_3])
          191  +	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_3], [], [tlsv1.3], [NO_TLS1_3], [SSL_OP_NO_TLSv1_3])
   167    192   
   168    193   	AC_CACHE_VAL([tcltls_cv_func_tlsext_hostname], [
   169    194   		AC_LANG_PUSH(C)
   170    195   		AC_MSG_CHECKING([for SSL_set_tlsext_host_name])
   171    196   		AC_LINK_IFELSE([AC_LANG_PROGRAM([
   172    197   #include <openssl/ssl.h>
   173    198   #if (SSLEAY_VERSION_NUMBER >= 0x0907000L)

Changes to tls.c.

    57     57   
    58     58   static int	MiscObjCmd(ClientData clientData,
    59     59   			Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[]);
    60     60   
    61     61   static int	UnimportObjCmd(ClientData clientData,
    62     62   			Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[]);
    63     63   
    64         -static SSL_CTX *CTX_Init(State *statePtr, int proto, char *key,
           64  +static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key,
    65     65   			char *cert, char *CAdir, char *CAfile, char *ciphers,
    66     66   			char *DHparams);
    67     67   
    68     68   static int	TlsLibInit(int uninitialize);
    69     69   
    70     70   #define TLS_PROTO_SSL2		0x01
    71     71   #define TLS_PROTO_SSL3		0x02
    72     72   #define TLS_PROTO_TLS1		0x04
    73     73   #define TLS_PROTO_TLS1_1	0x08
    74     74   #define TLS_PROTO_TLS1_2	0x10
           75  +#define TLS_PROTO_TLS1_3	0x20
    75     76   #define ENABLED(flag, mask)	(((flag) & (mask)) == (mask))
    76     77   
    77     78   /*
    78     79    * Static data structures
    79     80    */
    80     81   
    81     82   #ifndef OPENSSL_NO_DH
................................................................................
   561    562   		ctx = SSL_CTX_new(TLSv1_2_method()); break;
   562    563   #endif
   563    564       case TLS_TLS1_3:
   564    565   #if defined(NO_TLS1_3)
   565    566   		Tcl_AppendResult(interp, "protocol not supported", NULL);
   566    567   		return TCL_ERROR;
   567    568   #else
   568         -		ctx = SSL_CTX_new(TLSv1_3_method()); break;
          569  +		ctx = SSL_CTX_new(TLS_method()); break;
          570  +                SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION);
          571  +                SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION);
   569    572   #endif
   570    573       default:
   571    574   		break;
   572    575       }
   573    576       if (ctx == NULL) {
   574    577   	Tcl_AppendResult(interp, REASON(), (char *) NULL);
   575    578   	return TCL_ERROR;
................................................................................
   822    825       if (verify == 0)	verify = SSL_VERIFY_NONE;
   823    826   
   824    827       proto |= (ssl2 ? TLS_PROTO_SSL2 : 0);
   825    828       proto |= (ssl3 ? TLS_PROTO_SSL3 : 0);
   826    829       proto |= (tls1 ? TLS_PROTO_TLS1 : 0);
   827    830       proto |= (tls1_1 ? TLS_PROTO_TLS1_1 : 0);
   828    831       proto |= (tls1_2 ? TLS_PROTO_TLS1_2 : 0);
          832  +    proto |= (tls1_3 ? TLS_PROTO_TLS1_3 : 0);
   829    833   
   830    834       /* reset to NULL if blank string provided */
   831    835       if (cert && !*cert)		cert	 = NULL;
   832    836       if (key && !*key)		key	 = NULL;
   833    837       if (ciphers && !*ciphers)	ciphers	 = NULL;
   834    838       if (CAfile && !*CAfile)	CAfile	 = NULL;
   835    839       if (CAdir && !*CAdir)	CAdir	 = NULL;
................................................................................
   879    883   	    Tcl_AppendResult(interp, "bad channel \"",
   880    884   		    Tcl_GetChannelName(chan), "\": not a TLS channel", NULL);
   881    885   	    Tls_Free((char *) statePtr);
   882    886   	    return TCL_ERROR;
   883    887   	}
   884    888   	ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx;
   885    889       } else {
   886         -	if ((ctx = CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers,
          890  +	if ((ctx = CTX_Init(statePtr, server, proto, key, cert, CAdir, CAfile, ciphers,
   887    891   		DHparams)) == (SSL_CTX*)0) {
   888    892   	    Tls_Free((char *) statePtr);
   889    893   	    return TCL_ERROR;
   890    894   	}
   891    895       }
   892    896   
   893    897       statePtr->ctx = ctx;
................................................................................
  1048   1052    * Side effects:
  1049   1053    *	constructs SSL context (CTX)
  1050   1054    *
  1051   1055    *-------------------------------------------------------------------
  1052   1056    */
  1053   1057   
  1054   1058   static SSL_CTX *
  1055         -CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers, DHparams)
         1059  +CTX_Init(statePtr, isServer, proto, key, cert, CAdir, CAfile, ciphers, DHparams)
  1056   1060       State *statePtr;
         1061  +    int isServer;
  1057   1062       int proto;
  1058   1063       char *key;
  1059   1064       char *cert;
  1060   1065       char *CAdir;
  1061   1066       char *CAfile;
  1062   1067       char *ciphers;
  1063   1068       char *DHparams;
................................................................................
  1103   1108   #endif
  1104   1109   #if defined(NO_TLS1_2)
  1105   1110       if (ENABLED(proto, TLS_PROTO_TLS1_2)) {
  1106   1111   	Tcl_AppendResult(interp, "protocol not supported", NULL);
  1107   1112   	return (SSL_CTX *)0;
  1108   1113       }
  1109   1114   #endif
         1115  +#if defined(NO_TLS1_3)
         1116  +    if (ENABLED(proto, TLS_PROTO_TLS1_3)) {
         1117  +	Tcl_AppendResult(interp, "protocol not supported", NULL);
         1118  +	return (SSL_CTX *)0;
         1119  +    }
         1120  +#endif
  1110   1121   
  1111   1122       switch (proto) {
  1112   1123   #if !defined(NO_SSL2)
  1113   1124       case TLS_PROTO_SSL2:
  1114   1125   	method = SSLv2_method ();
  1115   1126   	break;
  1116   1127   #endif
................................................................................
  1129   1140   	method = TLSv1_1_method ();
  1130   1141   	break;
  1131   1142   #endif
  1132   1143   #if !defined(NO_TLS1_2)
  1133   1144       case TLS_PROTO_TLS1_2:
  1134   1145   	method = TLSv1_2_method ();
  1135   1146   	break;
         1147  +#endif
         1148  +#if !defined(NO_TLS1_3)
         1149  +    case TLS_PROTO_TLS1_3:
         1150  +        /*
         1151  +         * The version range is constrained below,
         1152  +         * after the context is created.  Use the
         1153  +         * generic method here.
         1154  +         */
         1155  +	method = TLS_method ();
         1156  +	break;
  1136   1157   #endif
  1137   1158       default:
         1159  +#ifdef HAVE_TLS_METHOD
         1160  +        method = TLS_method ();
         1161  +#else
  1138   1162           method = SSLv23_method ();
         1163  +#endif
  1139   1164   #if !defined(NO_SSL2)
  1140   1165   	off |= (ENABLED(proto, TLS_PROTO_SSL2)   ? 0 : SSL_OP_NO_SSLv2);
  1141   1166   #endif
  1142   1167   #if !defined(NO_SSL3)
  1143   1168   	off |= (ENABLED(proto, TLS_PROTO_SSL3)   ? 0 : SSL_OP_NO_SSLv3);
  1144   1169   #endif
  1145   1170   #if !defined(NO_TLS1)
................................................................................
  1147   1172   #endif
  1148   1173   #if !defined(NO_TLS1_1)
  1149   1174   	off |= (ENABLED(proto, TLS_PROTO_TLS1_1) ? 0 : SSL_OP_NO_TLSv1_1);
  1150   1175   #endif
  1151   1176   #if !defined(NO_TLS1_2)
  1152   1177   	off |= (ENABLED(proto, TLS_PROTO_TLS1_2) ? 0 : SSL_OP_NO_TLSv1_2);
  1153   1178   #endif
         1179  +#if !defined(NO_TLS1_3)
         1180  +	off |= (ENABLED(proto, TLS_PROTO_TLS1_3) ? 0 : SSL_OP_NO_TLSv1_3);
         1181  +#endif
  1154   1182   	break;
  1155   1183       }
  1156   1184       
  1157   1185       ctx = SSL_CTX_new (method);
         1186  +
         1187  +    if (!ctx) {
         1188  +        return(NULL);
         1189  +    }
         1190  +
         1191  +#if !defined(NO_TLS1_3)
         1192  +    if (proto == TLS_PROTO_TLS1_3) {
         1193  +        SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION);
         1194  +        SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION);
         1195  +    }
         1196  +#endif
  1158   1197       
  1159   1198       SSL_CTX_set_app_data( ctx, (VOID*)interp);	/* remember the interpreter */
  1160   1199       SSL_CTX_set_options( ctx, SSL_OP_ALL);	/* all SSL bug workarounds */
  1161   1200       SSL_CTX_set_options( ctx, off);	/* all SSL bug workarounds */
  1162   1201       SSL_CTX_sess_set_cache_size( ctx, 128);
  1163   1202   
  1164   1203       if (ciphers != NULL)