TclTLS: Diff

Differences From Artifact [42a5997f51]:

File generic/tls.c — part of check-in [c498845865] at 2023-12-21 19:56:20 on branch trunk — Optimized Init stub load and package require. Use general pkhIndex.tcl file. (user: bohagan, size: 90221) [annotate] [blame] [check-ins using]

To Artifact [54886bd843]:

File generic/tls.c — part of check-in [d3d16ea77f] at 2023-12-29 03:09:08 on branch dh — Updated to auto set DH parameters. Updated to use well known Diffie-Hellman (DH) parameters that have built-in support in OpenSSL. This means the DH parameters will be selected to be consistent with the size of the key associated with the server's certificate. If there is no certificate (e.g. for PSK ciphersuites), then it it will be consistent with the size of the negotiated symmetric cipher key. (user: bohagan, size: 90364) [annotate] [blame] [check-ins using]

︙			︙
60 61 62 63 64 65 66 ~~67 68 69 70 71 72 73 74~~ 75 76 77 78 79 80 81	#define TLS_PROTO_TLS1_1 0x08 #define TLS_PROTO_TLS1_2 0x10 #define TLS_PROTO_TLS1_3 0x20 #define ENABLED(flag, mask) (((flag) & (mask)) == (mask)) #define SSLKEYLOGFILE "SSLKEYLOGFILE" ~~/* * Static data structures / ~~#ifndef OPENSSL_NO_DH~~ ~~#include "dh_params.h"~~ ~~#endif~~~~ / * Thread-Safe TLS Code */ #ifdef TCL_THREADS #define OPENSSL_THREAD_DEFINES #include <openssl/opensslconf.h>	< < < < < < < <	60 61 62 63 64 65 66 67 68 69 70 71 72 73	#define TLS_PROTO_TLS1_1 0x08 #define TLS_PROTO_TLS1_2 0x10 #define TLS_PROTO_TLS1_3 0x20 #define ENABLED(flag, mask) (((flag) & (mask)) == (mask)) #define SSLKEYLOGFILE "SSLKEYLOGFILE" /* * Thread-Safe TLS Code */ #ifdef TCL_THREADS #define OPENSSL_THREAD_DEFINES #include <openssl/opensslconf.h>
︙			︙
1324 1325 1326 1327 1328 1329 1330 ~~1331~~ 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 ~~1344~~ 1345 1346 1347 1348 1349 1350 1351	OPTBYTE("-key", key, key_len); OPTSTR("-keyfile", keyfile); OPTSTR("-model", model); OPTOBJ("-password", password); OPTBOOL("-post_handshake", post_handshake); OPTBOOL("-request", request); OPTBOOL("-require", require); ~~OPTINT("-security_level", level);~~ OPTBOOL("-server", server); OPTSTR("-servername", servername); OPTSTR("-session_id", session_id); OPTBOOL("-ssl2", ssl2); OPTBOOL("-ssl3", ssl3); OPTBOOL("-tls1", tls1); OPTBOOL("-tls1.1", tls1_1); OPTBOOL("-tls1.2", tls1_2); OPTBOOL("-tls1.3", tls1_3); OPTOBJ("-validatecommand", vcmd); OPTOBJ("-vcmd", vcmd); OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -security_level, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand"); return TCL_ERROR; } if (request) verify \|= SSL_VERIFY_CLIENT_ONCE \| SSL_VERIFY_PEER; if (request && require) verify \|= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; if (request && post_handshake) verify \|= SSL_VERIFY_POST_HANDSHAKE; if (verify == 0) verify = SSL_VERIFY_NONE;	\| \|	1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343	OPTBYTE("-key", key, key_len); OPTSTR("-keyfile", keyfile); OPTSTR("-model", model); OPTOBJ("-password", password); OPTBOOL("-post_handshake", post_handshake); OPTBOOL("-request", request); OPTBOOL("-require", require); OPTINT("-securitylevel", level); OPTBOOL("-server", server); OPTSTR("-servername", servername); OPTSTR("-session_id", session_id); OPTBOOL("-ssl2", ssl2); OPTBOOL("-ssl3", ssl3); OPTBOOL("-tls1", tls1); OPTBOOL("-tls1.1", tls1_1); OPTBOOL("-tls1.2", tls1_2); OPTBOOL("-tls1.3", tls1_3); OPTOBJ("-validatecommand", vcmd); OPTOBJ("-vcmd", vcmd); OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -securitylevel, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand"); return TCL_ERROR; } if (request) verify \|= SSL_VERIFY_CLIENT_ONCE \| SSL_VERIFY_PEER; if (request && require) verify \|= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; if (request && post_handshake) verify \|= SSL_VERIFY_POST_HANDSHAKE; if (verify == 0) verify = SSL_VERIFY_NONE;
︙			︙
1908 1909 1910 1911 1912 1913 1914 1915 ~~1916~~ ~~1917 1918 1919~~ 1920 1921 1922 1923 1924 1925 1926	BIO_free(bio); Tcl_DStringFree(&ds); if (!dh) { Tcl_AppendResult(interp, "Could not read DH parameters from file", (char ) NULL); SSL_CTX_free(ctx); return NULL; } } else { ~~dh ~~= g~~et_dhPa~~rams~~();~~ ~~} ~~SSL_CTX_set_tmp_dh(ctx, dh);~~ ~~DH_free(dh);~~~~ } #endif / set our certificate */ load_private_key = 0; if (certfile != NULL) { load_private_key = 1;	> > > > \| > > > \| < < >	1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924	BIO_free(bio); Tcl_DStringFree(&ds); if (!dh) { Tcl_AppendResult(interp, "Could not read DH parameters from file", (char ) NULL); SSL_CTX_free(ctx); return NULL; } SSL_CTX_set_tmp_dh(ctx, dh); DH_free(dh); } else { / Use well known DH parameters that have built-in support in OpenSSL / if (!SSL_CTX_set_dh_auto(ctx, 1)) { Tcl_AppendResult(interp, "Could not enable set DH auto: ", REASON(), (char ) NULL); SSL_CTX_free(ctx); return NULL; } } } #endif /* set our certificate */ load_private_key = 0; if (certfile != NULL) { load_private_key = 1;
︙			︙