@@ -59,11 +59,11 @@ Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[]); static int UnimportObjCmd(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[]); -static SSL_CTX *CTX_Init(State *statePtr, int proto, char *key, +static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key, char *cert, char *CAdir, char *CAfile, char *ciphers, char *DHparams); static int TlsLibInit(int uninitialize); @@ -70,10 +70,11 @@ #define TLS_PROTO_SSL2 0x01 #define TLS_PROTO_SSL3 0x02 #define TLS_PROTO_TLS1 0x04 #define TLS_PROTO_TLS1_1 0x08 #define TLS_PROTO_TLS1_2 0x10 +#define TLS_PROTO_TLS1_3 0x20 #define ENABLED(flag, mask) (((flag) & (mask)) == (mask)) /* * Static data structures */ @@ -563,11 +564,13 @@ case TLS_TLS1_3: #if defined(NO_TLS1_3) Tcl_AppendResult(interp, "protocol not supported", NULL); return TCL_ERROR; #else - ctx = SSL_CTX_new(TLSv1_3_method()); break; + ctx = SSL_CTX_new(TLS_method()); break; + SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION); + SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION); #endif default: break; } if (ctx == NULL) { @@ -824,10 +827,11 @@ proto |= (ssl2 ? TLS_PROTO_SSL2 : 0); proto |= (ssl3 ? TLS_PROTO_SSL3 : 0); proto |= (tls1 ? TLS_PROTO_TLS1 : 0); proto |= (tls1_1 ? TLS_PROTO_TLS1_1 : 0); proto |= (tls1_2 ? TLS_PROTO_TLS1_2 : 0); + proto |= (tls1_3 ? TLS_PROTO_TLS1_3 : 0); /* reset to NULL if blank string provided */ if (cert && !*cert) cert = NULL; if (key && !*key) key = NULL; if (ciphers && !*ciphers) ciphers = NULL; @@ -881,11 +885,11 @@ Tls_Free((char *) statePtr); return TCL_ERROR; } ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx; } else { - if ((ctx = CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers, + if ((ctx = CTX_Init(statePtr, server, proto, key, cert, CAdir, CAfile, ciphers, DHparams)) == (SSL_CTX*)0) { Tls_Free((char *) statePtr); return TCL_ERROR; } } @@ -1050,12 +1054,13 @@ * *------------------------------------------------------------------- */ static SSL_CTX * -CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers, DHparams) +CTX_Init(statePtr, isServer, proto, key, cert, CAdir, CAfile, ciphers, DHparams) State *statePtr; + int isServer; int proto; char *key; char *cert; char *CAdir; char *CAfile; @@ -1105,10 +1110,16 @@ if (ENABLED(proto, TLS_PROTO_TLS1_2)) { Tcl_AppendResult(interp, "protocol not supported", NULL); return (SSL_CTX *)0; } #endif +#if defined(NO_TLS1_3) + if (ENABLED(proto, TLS_PROTO_TLS1_3)) { + Tcl_AppendResult(interp, "protocol not supported", NULL); + return (SSL_CTX *)0; + } +#endif switch (proto) { #if !defined(NO_SSL2) case TLS_PROTO_SSL2: method = SSLv2_method (); @@ -1131,13 +1142,27 @@ #endif #if !defined(NO_TLS1_2) case TLS_PROTO_TLS1_2: method = TLSv1_2_method (); break; +#endif +#if !defined(NO_TLS1_3) + case TLS_PROTO_TLS1_3: + /* + * The version range is constrained below, + * after the context is created. Use the + * generic method here. + */ + method = TLS_method (); + break; #endif default: +#ifdef HAVE_TLS_METHOD + method = TLS_method (); +#else method = SSLv23_method (); +#endif #if !defined(NO_SSL2) off |= (ENABLED(proto, TLS_PROTO_SSL2) ? 0 : SSL_OP_NO_SSLv2); #endif #if !defined(NO_SSL3) off |= (ENABLED(proto, TLS_PROTO_SSL3) ? 0 : SSL_OP_NO_SSLv3); @@ -1149,14 +1174,28 @@ off |= (ENABLED(proto, TLS_PROTO_TLS1_1) ? 0 : SSL_OP_NO_TLSv1_1); #endif #if !defined(NO_TLS1_2) off |= (ENABLED(proto, TLS_PROTO_TLS1_2) ? 0 : SSL_OP_NO_TLSv1_2); #endif +#if !defined(NO_TLS1_3) + off |= (ENABLED(proto, TLS_PROTO_TLS1_3) ? 0 : SSL_OP_NO_TLSv1_3); +#endif break; } ctx = SSL_CTX_new (method); + + if (!ctx) { + return(NULL); + } + +#if !defined(NO_TLS1_3) + if (proto == TLS_PROTO_TLS1_3) { + SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION); + SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION); + } +#endif SSL_CTX_set_app_data( ctx, (VOID*)interp); /* remember the interpreter */ SSL_CTX_set_options( ctx, SSL_OP_ALL); /* all SSL bug workarounds */ SSL_CTX_set_options( ctx, off); /* all SSL bug workarounds */ SSL_CTX_sess_set_cache_size( ctx, 128);