︙ | | |
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
-
+
|
(((key) == NULL) ? (char *) NULL : \
Tcl_TranslateFileName(interp, (key), (dsp)))
#define REASON() ERR_reason_error_string(ERR_get_error())
static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key,
char *certfile, unsigned char *key_asn1, unsigned char *cert_asn1,
int key_asn1_len, int cert_asn1_len, char *CAdir, char *CAfile,
char *ciphers, char *ciphersuites, char *DHparams);
char *ciphers, char *ciphersuites, int level, char *DHparams);
static int TlsLibInit(int uninitialize);
#define TLS_PROTO_SSL2 0x01
#define TLS_PROTO_SSL3 0x02
#define TLS_PROTO_TLS1 0x04
#define TLS_PROTO_TLS1_1 0x08
|
︙ | | |
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
|
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
|
-
+
|
objPtr = Tcl_NewStringObj("",0);
for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
if (c == NULL) continue;
/* textual description of the cipher */
if (SSL_CIPHER_description(c, buf, sizeof(buf)) != NULL) {
Tcl_AppendToObj(objPtr, buf, strlen(buf));
Tcl_AppendToObj(objPtr, buf, (int) strlen(buf));
} else {
Tcl_AppendToObj(objPtr, "UNKNOWN\n", 8);
}
}
}
if (use_supported) {
sk_SSL_CIPHER_free(sk);
|
︙ | | |
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
|
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
|
-
+
|
char *model = NULL;
#ifndef OPENSSL_NO_TLSEXT
char *servername = NULL; /* hostname for Server Name Indication */
Tcl_Obj *alpn = NULL;
#endif
int ssl2 = 0, ssl3 = 0;
int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1;
int proto = 0;
int proto = 0, level = -1;
int verify = 0, require = 0, request = 1;
dprintf("Called");
#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_NO_SSL2) && defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_TLS1_3) && defined(NO_SSL3) && !defined(NO_SSL2)
ssl2 = 1;
#endif
|
︙ | | |
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
|
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
|
+
+
-
+
|
if (opt[0] != '-')
break;
OPTSTR("-cadir", CAdir);
OPTSTR("-cafile", CAfile);
OPTSTR("-certfile", certfile);
OPTSTR("-cipher", ciphers);
OPTSTR("-ciphers", ciphers);
OPTSTR("-ciphersuites", ciphersuites);
OPTOBJ("-command", script);
OPTSTR("-dhparams", DHparams);
OPTSTR("-keyfile", keyfile);
OPTSTR("-model", model);
OPTOBJ("-password", password);
OPTBOOL("-require", require);
OPTBOOL("-request", request);
OPTINT("-securitylevel", level);
OPTBOOL("-server", server);
#ifndef OPENSSL_NO_TLSEXT
OPTSTR("-servername", servername);
OPTOBJ("-alpn", alpn);
#endif
OPTBOOL("-ssl2", ssl2);
OPTBOOL("-ssl3", ssl3);
OPTBOOL("-tls1", tls1);
OPTBOOL("-tls1.1", tls1_1);
OPTBOOL("-tls1.2", tls1_2);
OPTBOOL("-tls1.3", tls1_3);
OPTBYTE("-cert", cert, cert_len);
OPTBYTE("-key", key, key_len);
OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, or -tls1.3");
OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -require, -request, -securitylevel, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, or -tls1.3");
return TCL_ERROR;
}
if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER;
if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
if (verify == 0) verify = SSL_VERIFY_NONE;
|
︙ | | |
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
|
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
|
-
+
|
"\": not a TLS channel", NULL);
Tls_Free((char *) statePtr);
return TCL_ERROR;
}
ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx;
} else {
if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, cert,
key_len, cert_len, CAdir, CAfile, ciphers, ciphersuites, DHparams)) == (SSL_CTX*)0) {
key_len, cert_len, CAdir, CAfile, ciphers, ciphersuites, level, DHparams)) == (SSL_CTX*)0) {
Tls_Free((char *) statePtr);
return TCL_ERROR;
}
}
statePtr->ctx = ctx;
|
︙ | | |
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
|
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
|
-
+
|
* constructs SSL context (CTX)
*
*-------------------------------------------------------------------
*/
static SSL_CTX *
CTX_Init(State *statePtr, int isServer, int proto, char *keyfile, char *certfile,
unsigned char *key, unsigned char *cert, int key_len, int cert_len, char *CAdir,
char *CAfile, char *ciphers, char *ciphersuites, char *DHparams) {
char *CAfile, char *ciphers, char *ciphersuites, int level, char *DHparams) {
Tcl_Interp *interp = statePtr->interp;
SSL_CTX *ctx = NULL;
Tcl_DString ds;
Tcl_DString ds1;
int off = 0;
int load_private_key;
const SSL_METHOD *method;
|
︙ | | |
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
|
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
|
-
+
+
+
+
+
+
+
|
SSL_CTX_set_options(ctx, SSL_OP_ALL); /* all SSL bug workarounds */
SSL_CTX_set_options(ctx, off); /* disable protocol versions */
#if OPENSSL_VERSION_NUMBER < 0x10101000L
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); /* handle new handshakes in background */
#endif
SSL_CTX_sess_set_cache_size(ctx, 128);
/* Set user defined ciphers and cipher suites */
/* Set user defined ciphers, cipher suites, and security level */
if (((ciphers != NULL) && !SSL_CTX_set_cipher_list(ctx, ciphers)) || \
((ciphersuites != NULL) && !SSL_CTX_set_ciphersuites(ctx, ciphersuites))) {
Tcl_AppendResult(interp, "Set ciphers failed", (char *) NULL);
SSL_CTX_free(ctx);
return (SSL_CTX *)0;
}
/* Set security level */
if (level > -1 && level < 6) {
/* SSL_set_security_level */
SSL_CTX_set_security_level(ctx, level);
}
/* set some callbacks */
SSL_CTX_set_default_passwd_cb(ctx, PasswordCallback);
#ifndef BSAFE
SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)statePtr);
#endif
|
︙ | | |
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
|
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
|
-
+
+
+
+
+
|
} else if (SSL_in_init(ssl)) {
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("handshake", -1));
} else {
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("initializing", -1));
}
/* Get server name */
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("server", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("servername", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name), -1));
/* Get protocol */
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("protocol", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_version(ssl), -1));
/* Get security level */
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("securitylevel", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(SSL_get_security_level(ssl)));
/* Get cipher */
cipher = SSL_get_current_cipher(ssl);
if (cipher != NULL) {
char buf[BUFSIZ] = {0};
int bits, alg_bits;
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("cipher", -1));
|
︙ | | |