TclTLS: Check-in [2ed802a7af]

Overview

Comment:	Changes for OpenSSL v1.1.1 to make compatible with no deprecated option.
Downloads:	Tarball \| ZIP archive \| SQL archive
Timelines:	family \| ancestors \| descendants \| both \| trunk
Files:	files \| file ages \| folders
SHA3-256:	2ed802a7afae14ce8bfa9793c3e6047c78b3d5d52bf0b60ec4016906ea78f469
User & Date:	bohagan on 2023-04-23 02:08:22
Other Links:	manifest \| tags

Context

2023-04-23
02:36		Applied patch to add OpenSSL3 KTLS trivial processing. Description: Patch adds trivial processing for BIO_CTRL_GET_KTLS_SEND and BIO_CTRL_GET_KTLS_RECV control commands to make tcltls working with OpenSSL 3.0. See also: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006587 - https://bugzilla.redhat.com/show_bug.cgi?id=2088363 Source: https://sources.debian.org/src/tcltls/1.7.22-3/debian/patches/openssl3.patch check-in: 6f19aa6623 user: bohagan tags: trunk
02:08		Changes for OpenSSL v1.1.1 to make compatible with no deprecated option. check-in: 2ed802a7af user: bohagan tags: trunk
2023-04-10
01:27		Initial changes for TCL 9.0. Fixed package requires to work with TCL 9.0. Removed obsolete macro _ANSI_ARGS_, use ANSI arg definitions, etc. Macros: CONST84 to const, WIN32 to _WIN32, CONST to const, VOID to void, etc. Replaced Tcl_SaveResult with Tcl_SaveInterpState, Tcl_RestoreResult with Tcl_RestoreInterpState, and Tcl_DiscardResult with Tcl_DiscardInterpState. Use Tcl_BackgroundError for pre TCL 8.6 and Tcl_BackgroundException for TCL 8.6+. check-in: 275ecbcc5d user: bohagan tags: trunk

Changes

Modified tls.c from [28a1c0e368] to [e79ec1582f].

Modified tls.htm from [be912f239c] to [a06ffeb7ad].

Modified tlsBIO.c from [2fccc48eb3] to [d88dbca933].

Modified tlsIO.c from [106287680c] to [cfd328a393].

Modified tlsX509.c from [943fec2e44] to [87f16e34d8].

︙			︙
615 616 617 618 619 620 621 ~~622~~ 623 ~~624 625 626 627~~ 628 629 630 631 632 633 634	State statePtr = (State ) instanceData; Tcl_Channel downChan = Tls_GetParent(statePtr, TLS_TCL_FASTPATH); Tcl_DriverGetOptionProc getOptionProc; getOptionProc = Tcl_ChannelGetOptionProc(Tcl_GetChannelType(downChan)); if (getOptionProc != NULL) { ~~return (getOptionProc)(Tcl_GetChannelInstanceData(downChan), interp, optionName, dsPtr);~~ } else if (optionName == (char) NULL) { ~~/ * Request is query for all options, this is ok. / return TCL_OK;~~ } / * Request for a specific option has to fail, we don't have any. */ return TCL_ERROR; }	\| \| \| \| \|	615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634	State statePtr = (State ) instanceData; Tcl_Channel downChan = Tls_GetParent(statePtr, TLS_TCL_FASTPATH); Tcl_DriverGetOptionProc getOptionProc; getOptionProc = Tcl_ChannelGetOptionProc(Tcl_GetChannelType(downChan)); if (getOptionProc != NULL) { return (getOptionProc)(Tcl_GetChannelInstanceData(downChan), interp, optionName, dsPtr); } else if (optionName == (char) NULL) { / * Request is query for all options, this is ok. / return TCL_OK; } / * Request for a specific option has to fail, we don't have any. */ return TCL_ERROR; }
︙			︙
658 659 660 661 662 663 664 ~~665 666~~ 667 668 669 670 671 672 673 ~~674~~ 675 676 677 678 679 680 ~~681~~ 682 683 ~~684~~ 685 ~~686 687 688 689 690 691 692~~ 693 694 ~~695 696 697~~ 698 ~~699 700 701~~ 702 ~~703 704 705 706 707~~ 708 709 710 711 712 713 714	State statePtr = (State ) instanceData; dprintf("TlsWatchProc(0x%x)", mask); /* Pretend to be dead as long as the verify callback is running. * Otherwise that callback could be invoked recursively. / if (statePtr->flags & TLS_TCL_CALLBACK) { ~~dprintf("Callback is on-going, doing nothing"); return;~~ } dprintFlags(statePtr); downChan = Tls_GetParent(statePtr, TLS_TCL_FASTPATH); if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) { ~~dprintf("Asked to watch a socket with a failed handshake -- nothing can happen here");~~ dprintf("Unregistering interest in the lower channel"); (Tcl_GetChannelType(downChan))->watchProc(Tcl_GetChannelInstanceData(downChan), 0); statePtr->watchMask = 0; ~~return;~~ } ~~statePtr->watchMask = mask;~~ / No channel handlers any more. We will be notified automatically * about events on the channel below via a call to our * 'TransformNotifyProc'. But we have to pass the interest down now. * We are allowed to add additional 'interest' to the mask if we want * to. But this transformation has no such interest. It just passes * the request down, unchanged. / ~~dprintf("Registering our interest in the lower channel (chan=%p)", (void ) downChan); (Tcl_GetChannelType(downChan)) ->watchProc(Tcl_GetChannelInstanceData(downChan), mask);~~ ~~/* * Management of the internal timer. /~~ ~~if (statePtr->timer != (Tcl_TimerToken) NULL) { dprintf("A timer was found, deleting it"); Tcl_DeleteTimerHandler(statePtr->timer); statePtr->timer = (Tcl_TimerToken) NULL; }~~ if ((mask & TCL_READABLE) && ((Tcl_InputBuffered(statePtr->self) > 0) \|\| (BIO_ctrl_pending(statePtr->bio) > 0))) { / * There is interest in readable events and we actually have * data waiting, so generate a timer to flush that. */	\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714	State statePtr = (State ) instanceData; dprintf("TlsWatchProc(0x%x)", mask); /* Pretend to be dead as long as the verify callback is running. * Otherwise that callback could be invoked recursively. / if (statePtr->flags & TLS_TCL_CALLBACK) { dprintf("Callback is on-going, doing nothing"); return; } dprintFlags(statePtr); downChan = Tls_GetParent(statePtr, TLS_TCL_FASTPATH); if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) { dprintf("Asked to watch a socket with a failed handshake -- nothing can happen here"); dprintf("Unregistering interest in the lower channel"); (Tcl_GetChannelType(downChan))->watchProc(Tcl_GetChannelInstanceData(downChan), 0); statePtr->watchMask = 0; return; } statePtr->watchMask = mask; / No channel handlers any more. We will be notified automatically * about events on the channel below via a call to our * 'TransformNotifyProc'. But we have to pass the interest down now. * We are allowed to add additional 'interest' to the mask if we want * to. But this transformation has no such interest. It just passes * the request down, unchanged. / dprintf("Registering our interest in the lower channel (chan=%p)", (void ) downChan); (Tcl_GetChannelType(downChan)) ->watchProc(Tcl_GetChannelInstanceData(downChan), mask); /* * Management of the internal timer. / if (statePtr->timer != (Tcl_TimerToken) NULL) { dprintf("A timer was found, deleting it"); Tcl_DeleteTimerHandler(statePtr->timer); statePtr->timer = (Tcl_TimerToken) NULL; } if ((mask & TCL_READABLE) && ((Tcl_InputBuffered(statePtr->self) > 0) \|\| (BIO_ctrl_pending(statePtr->bio) > 0))) { / * There is interest in readable events and we actually have * data waiting, so generate a timer to flush that. */
︙			︙

1 2 3 4 5 6 7 8 9 10 11	/* * Copyright (C) 1997-2000 Sensus Consulting Ltd. * Matt Newman <[email protected]> / #include "tlsInt.h" / * Ensure these are not macros - known to be defined on Win32 */ #ifdef min #undef min	> > > > > >	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17	/* * Copyright (C) 1997-2000 Sensus Consulting Ltd. * Matt Newman <[email protected]> / #include <tcl.h> #include <stdio.h> #include <openssl/bio.h> #include <openssl/sha.h> #include <openssl/x509.h> #include <openssl/asn1.h> #include "tlsInt.h" / * Ensure these are not macros - known to be defined on Win32 */ #ifdef min #undef min
︙			︙
31 32 33 34 35 36 37 ~~38 39~~ 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69	static char * ASN1_UTCTIME_tostr(ASN1_UTCTIME tm) { static char bp[128]; char v; int gmt=0; static char mon[12]={ ~~"Jan","Feb","Mar","Apr","May","Jun", "Jul","Aug","Sep","Oct","Nov","Dec"};~~ int i; int y=0,M=0,d=0,h=0,m=0,s=0; i=tm->length; v=(char )tm->data; if (i < 10) goto err; if (v[i-1] == 'Z') gmt=1; for (i=0; i<10; i++) ~~if ((v[i] > '9') \|\| (v[i] < '0')) goto err;~~ y= (v[0]-'0')10+(v[1]-'0'); if (y < 70) y+=100; M= (v[2]-'0')10+(v[3]-'0'); if ((M > 12) \|\| (M < 1)) goto err; d= (v[4]-'0')10+(v[5]-'0'); h= (v[6]-'0')10+(v[7]-'0'); m= (v[8]-'0')10+(v[9]-'0'); if ( (v[10] >= '0') && (v[10] <= '9') && (v[11] >= '0') && (v[11] <= '9')) ~~s= (v[10]-'0')10+(v[11]-'0');~~ sprintf(bp,"%s %2d %02d:%02d:%02d %d%s", ~~mon[M-1],d,h,m,s,y+1900,(gmt)?" GMT":"");~~ return bp; err: return "Bad time value"; } /* ------------------------------------------------------	\| \| \| \| \|	37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75	static char * ASN1_UTCTIME_tostr(ASN1_UTCTIME tm) { static char bp[128]; char v; int gmt=0; static char mon[12]={ "Jan","Feb","Mar","Apr","May","Jun", "Jul","Aug","Sep","Oct","Nov","Dec"}; int i; int y=0,M=0,d=0,h=0,m=0,s=0; i=tm->length; v=(char )tm->data; if (i < 10) goto err; if (v[i-1] == 'Z') gmt=1; for (i=0; i<10; i++) if ((v[i] > '9') \|\| (v[i] < '0')) goto err; y= (v[0]-'0')10+(v[1]-'0'); if (y < 70) y+=100; M= (v[2]-'0')10+(v[3]-'0'); if ((M > 12) \|\| (M < 1)) goto err; d= (v[4]-'0')10+(v[5]-'0'); h= (v[6]-'0')10+(v[7]-'0'); m= (v[8]-'0')10+(v[9]-'0'); if ( (v[10] >= '0') && (v[10] <= '9') && (v[11] >= '0') && (v[11] <= '9')) s= (v[10]-'0')10+(v[11]-'0'); sprintf(bp,"%s %2d %02d:%02d:%02d %d%s", mon[M-1],d,h,m,s,y+1900,(gmt)?" GMT":""); return bp; err: return "Bad time value"; } /* ------------------------------------------------------
︙			︙
98 99 100 101 102 103 104 ~~105~~ 106 107 108 109 110 111 112	char notBefore[BUFSIZ]; char notAfter[BUFSIZ]; char certStr[CERT_STR_SIZE], certStr_p; int certStr_len, toRead; #ifndef NO_SSL_SHA char sha1_hash_ascii[SHA_DIGEST_LENGTH 2 + 1]; unsigned char sha1_hash_binary[SHA_DIGEST_LENGTH]; ~~char sha256_hash_ascii[SHA256_DIGEST_LENGTH2+1];~~ unsigned char sha256_hash_binary[SHA256_DIGEST_LENGTH]; const char shachars="0123456789ABCDEF"; sha1_hash_ascii[SHA_DIGEST_LENGTH * 2] = '\0'; sha256_hash_ascii[SHA256_DIGEST_LENGTH * 2] = '\0'; #endif	\|	104 105 106 107 108 109 110 111 112 113 114 115 116 117 118	char notBefore[BUFSIZ]; char notAfter[BUFSIZ]; char certStr[CERT_STR_SIZE], certStr_p; int certStr_len, toRead; #ifndef NO_SSL_SHA char sha1_hash_ascii[SHA_DIGEST_LENGTH 2 + 1]; unsigned char sha1_hash_binary[SHA_DIGEST_LENGTH]; char sha256_hash_ascii[SHA256_DIGEST_LENGTH * 2 + 1]; unsigned char sha256_hash_binary[SHA256_DIGEST_LENGTH]; const char shachars="0123456789ABCDEF"; sha1_hash_ascii[SHA_DIGEST_LENGTH 2] = '\0'; sha256_hash_ascii[SHA256_DIGEST_LENGTH * 2] = '\0'; #endif
︙			︙
133 134 135 136 137 138 139 ~~140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159~~ 160 161 162 163 164 165 166 167 168 169 170 ~~171 172~~ 173 174 175 176 177 178 179	i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)); n = BIO_read(bio, serial, min(BIO_pending(bio), BUFSIZ - 1)); n = max(n, 0); serial[n] = 0; (void)BIO_flush(bio); if (PEM_write_bio_X509(bio, cert)) { certStr_p = certStr; certStr_len = 0; while (1) { toRead = min(BIO_pending(bio), CERT_STR_SIZE - certStr_len - 1); toRead = min(toRead, BUFSIZ); if (toRead == 0) { break; } dprintf("Reading %i bytes from the certificate...", toRead); n = BIO_read(bio, certStr_p, toRead); if (n <= 0) { break; } certStr_len += n; certStr_p += n; } certStr_p = '\0'; (void)BIO_flush(bio); } BIO_free(bio); } strcpy( notBefore, ASN1_UTCTIME_tostr( X509_get_notBefore(cert) )); strcpy( notAfter, ASN1_UTCTIME_tostr( X509_get_notAfter(cert) )); #ifndef NO_SSL_SHA / SHA1 / X509_digest(cert, EVP_sha1(), sha1_hash_binary, NULL); for (int n = 0; n < SHA_DIGEST_LENGTH; n++) { ~~sha1_hash_ascii[n 2] = shachars[(sha1_hash_binary[n] & 0xF0) >> 4]; sha1_hash_ascii[n * 2 + 1] = shachars[(sha1_hash_binary[n] & 0x0F)];~~ } Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj("sha1_hash", -1) ); Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj(sha1_hash_ascii, SHA_DIGEST_LENGTH * 2) ); /* SHA256 */ X509_digest(cert, EVP_sha256(), sha256_hash_binary, NULL); for (int n = 0; n < SHA256_DIGEST_LENGTH; n++) {	\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| > > > > > \| \|	139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190	i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)); n = BIO_read(bio, serial, min(BIO_pending(bio), BUFSIZ - 1)); n = max(n, 0); serial[n] = 0; (void)BIO_flush(bio); if (PEM_write_bio_X509(bio, cert)) { certStr_p = certStr; certStr_len = 0; while (1) { toRead = min(BIO_pending(bio), CERT_STR_SIZE - certStr_len - 1); toRead = min(toRead, BUFSIZ); if (toRead == 0) { break; } dprintf("Reading %i bytes from the certificate...", toRead); n = BIO_read(bio, certStr_p, toRead); if (n <= 0) { break; } certStr_len += n; certStr_p += n; } certStr_p = '\0'; (void)BIO_flush(bio); } BIO_free(bio); } #if OPENSSL_VERSION_NUMBER < 0x10100000L strcpy( notBefore, ASN1_UTCTIME_tostr( X509_get_notBefore(cert) )); strcpy( notAfter, ASN1_UTCTIME_tostr( X509_get_notAfter(cert) )); #else strcpy( notBefore, ASN1_UTCTIME_tostr( X509_getm_notBefore(cert) )); strcpy( notAfter, ASN1_UTCTIME_tostr( X509_getm_notAfter(cert) )); #endif #ifndef NO_SSL_SHA / SHA1 / X509_digest(cert, EVP_sha1(), sha1_hash_binary, NULL); for (int n = 0; n < SHA_DIGEST_LENGTH; n++) { sha1_hash_ascii[n2] = shachars[(sha1_hash_binary[n] & 0xF0) >> 4]; sha1_hash_ascii[n2+1] = shachars[(sha1_hash_binary[n] & 0x0F)]; } Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj("sha1_hash", -1) ); Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj(sha1_hash_ascii, SHA_DIGEST_LENGTH 2) ); /* SHA256 */ X509_digest(cert, EVP_sha256(), sha256_hash_binary, NULL); for (int n = 0; n < SHA256_DIGEST_LENGTH; n++) {
︙			︙

︙			︙
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 ~~42 43 44~~ 45 46 47 48 49 50 51	* tclSSL (Colin McCormack, Shared Technology) * SSLtcl (Peter Antman) * / #include "tlsInt.h" #include "tclOpts.h" #include <stdlib.h> / * External functions / / * Forward declarations / #define F2N( key, dsp) \ (((key) == NULL) ? (char ) NULL : \ Tcl_TranslateFileName(interp, (key), (dsp))) #define REASON() ERR_reason_error_string(ERR_get_error()) static SSL_CTX CTX_Init(State statePtr, int isServer, int proto, char key, ~~char certfile, unsigned char key_asn1, unsigned char cert_asn1, int key_asn1_len, int cert_asn1_len, char CAdir, char CAfile, char ciphers, char DHparams);~~ static int TlsLibInit(int uninitialize); #define TLS_PROTO_SSL2 0x01 #define TLS_PROTO_SSL3 0x02 #define TLS_PROTO_TLS1 0x04 #define TLS_PROTO_TLS1_1 0x08	> > \| \| \|	19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53	* tclSSL (Colin McCormack, Shared Technology) * SSLtcl (Peter Antman) * / #include "tlsInt.h" #include "tclOpts.h" #include <stdio.h> #include <stdlib.h> #include <openssl/rsa.h> / * External functions / / * Forward declarations / #define F2N( key, dsp) \ (((key) == NULL) ? (char ) NULL : \ Tcl_TranslateFileName(interp, (key), (dsp))) #define REASON() ERR_reason_error_string(ERR_get_error()) static SSL_CTX CTX_Init(State statePtr, int isServer, int proto, char key, char certfile, unsigned char key_asn1, unsigned char cert_asn1, int key_asn1_len, int cert_asn1_len, char CAdir, char CAfile, char ciphers, char DHparams); static int TlsLibInit(int uninitialize); #define TLS_PROTO_SSL2 0x01 #define TLS_PROTO_SSL3 0x02 #define TLS_PROTO_TLS1 0x04 #define TLS_PROTO_TLS1_1 0x08
︙			︙
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110	#ifdef TCL_THREADS #define OPENSSL_THREAD_DEFINES #include <openssl/opensslconf.h> #ifdef OPENSSL_THREADS #include <openssl/crypto.h> /* * Threaded operation requires locking callbacks * Based from /crypto/cryptlib.c of OpenSSL and NSOpenSSL. / static Tcl_Mutex locks = NULL; static int locksCount = 0; static Tcl_Mutex init_mx; void CryptoThreadLockCallback(int mode, int n, const char file, int line) { if (mode & CRYPTO_LOCK) { / This debugging is turned off by default -- it's too noisy. / / dprintf("Called to lock (n=%i of %i)", n, locksCount); */ Tcl_MutexLock(&locks[n]);	> > > >	90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116	#ifdef TCL_THREADS #define OPENSSL_THREAD_DEFINES #include <openssl/opensslconf.h> #ifdef OPENSSL_THREADS #include <openssl/crypto.h> /* Added / #include <openssl/ssl.h> / * Threaded operation requires locking callbacks * Based from /crypto/cryptlib.c of OpenSSL and NSOpenSSL. / static Tcl_Mutex locks = NULL; static int locksCount = 0; static Tcl_Mutex init_mx; # if OPENSSL_VERSION_NUMBER < 0x10100000L void CryptoThreadLockCallback(int mode, int n, const char file, int line) { if (mode & CRYPTO_LOCK) { / This debugging is turned off by default -- it's too noisy. / / dprintf("Called to lock (n=%i of %i)", n, locksCount); */ Tcl_MutexLock(&locks[n]);
︙			︙
127 128 129 130 131 132 133 134 135 136 137 138 139 140	ret = (unsigned long) Tcl_GetCurrentThread(); dprintf("Returning %lu", ret); return(ret); } #endif /* OPENSSL_THREADS / #endif / TCL_THREADS / / -------------------------------------------------------------------	>	133 134 135 136 137 138 139 140 141 142 143 144 145 146 147	ret = (unsigned long) Tcl_GetCurrentThread(); dprintf("Returning %lu", ret); return(ret); } #endif #endif /* OPENSSL_THREADS / #endif / TCL_THREADS / / -------------------------------------------------------------------
︙			︙
426 427 428 429 430 431 432 ~~433~~ 434 435 436 437 438 439 440	/* * No way to handle user-data therefore no way without a global * variable to access the Tcl interpreter. / static int PasswordCallback(char buf, int size, int verify) { return -1; ~~buf = buf;~~ size = size; verify = verify; } #else static int PasswordCallback(char buf, int size, int verify, void udata) { State statePtr = (State ) udata;	\|	433 434 435 436 437 438 439 440 441 442 443 444 445 446 447	/* * No way to handle user-data therefore no way without a global * variable to access the Tcl interpreter. / static int PasswordCallback(char buf, int size, int verify) { return -1; buf = buf; size = size; verify = verify; } #else static int PasswordCallback(char buf, int size, int verify, void udata) { State statePtr = (State ) udata;
︙			︙
472 473 474 475 476 477 478 ~~479~~ 480 ~~481~~ 482 ~~483~~ 484 485 486 487 488 489 490	Tcl_DecrRefCount(cmdPtr); Tcl_Release((ClientData) statePtr); if (code == TCL_OK) { char ret = (char ) Tcl_GetStringResult(interp); if (strlen(ret) < size - 1) { ~~strncpy(buf, ret, (size_t) size);~~ Tcl_Release((ClientData) interp); ~~return (int)strlen(ret);~~ } } Tcl_Release((ClientData) interp); return -1; } #endif /* *-------------------------------------------------------------------	\| \| \|	479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497	Tcl_DecrRefCount(cmdPtr); Tcl_Release((ClientData) statePtr); if (code == TCL_OK) { char ret = (char ) Tcl_GetStringResult(interp); if (strlen(ret) < size - 1) { strncpy(buf, ret, (size_t) size); Tcl_Release((ClientData) interp); return (int)strlen(ret); } } Tcl_Release((ClientData) interp); return -1; } #endif /* *-------------------------------------------------------------------
︙			︙
515 516 517 518 519 520 521 ~~522~~ 523 524 525 526 527 528 529 ~~530~~ 531 532 533 534 535 ~~536~~ 537 538 539 540 541 542 ~~543~~ 544 545 546 547 548 549 ~~550~~ 551 552 553 554 555 556 ~~557~~ 558 559 560 561 562 563 ~~564~~ 565 566 567 568 569 570 ~~571~~ 572 573 574 575 576 ~~577~~ 578 579 580 581 582 583 584	SSL ssl = NULL; STACK_OF(SSL_CIPHER) sk; char *cp, buf[BUFSIZ]; int index, verbose = 0; dprintf("Called"); ~~if (objc < 2 \|\| objc > 3) {~~ Tcl_WrongNumArgs(interp, 1, objv, "protocol ?verbose?"); return TCL_ERROR; } if (Tcl_GetIndexFromObj( interp, objv[1], protocols, "protocol", 0, &index) != TCL_OK) { return TCL_ERROR; } ~~if (objc > 2 && Tcl_GetBooleanFromObj( interp, objv[2],~~ &verbose) != TCL_OK) { return TCL_ERROR; } switch ((enum protocol)index) { case TLS_SSL2: ~~#if defined(NO_SSL2)~~ Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(SSLv2_method()); break; #endif case TLS_SSL3: ~~#if defined(NO_SSL3)~~ Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(SSLv3_method()); break; #endif case TLS_TLS1: ~~#if defined(NO_TLS1)~~ Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_method()); break; #endif case TLS_TLS1_1: ~~#if defined(NO_TLS1_1)~~ Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_1_method()); break; #endif case TLS_TLS1_2: ~~#if defined(NO_TLS1_2)~~ Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_2_method()); break; #endif case TLS_TLS1_3: ~~#if defined(NO_TLS1_3)~~ Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLS_method()); SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION); ~~SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION);~~ break; #endif default: break; } if (ctx == NULL) { Tcl_AppendResult(interp, REASON(), NULL);	\| \| \| \| \| \| \| \| \|	522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591	SSL ssl = NULL; STACK_OF(SSL_CIPHER) sk; char *cp, buf[BUFSIZ]; int index, verbose = 0; dprintf("Called"); if ((objc < 2) \|\| (objc > 3)) { Tcl_WrongNumArgs(interp, 1, objv, "protocol ?verbose?"); return TCL_ERROR; } if (Tcl_GetIndexFromObj( interp, objv[1], protocols, "protocol", 0, &index) != TCL_OK) { return TCL_ERROR; } if ((objc > 2) && Tcl_GetBooleanFromObj( interp, objv[2], &verbose) != TCL_OK) { return TCL_ERROR; } switch ((enum protocol)index) { case TLS_SSL2: #if OPENSSL_VERSION_NUMBER >= 0x10101000L \|\| defined(NO_SSL2) \|\| defined(OPENSSL_NO_SSL2) Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(SSLv2_method()); break; #endif case TLS_SSL3: #if defined(NO_SSL3) \|\| defined(OPENSSL_NO_SSL3) Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(SSLv3_method()); break; #endif case TLS_TLS1: #if defined(NO_TLS1) \|\| defined(OPENSSL_NO_TLS1) Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_method()); break; #endif case TLS_TLS1_1: #if defined(NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1) Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_1_method()); break; #endif case TLS_TLS1_2: #if defined(NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2) Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_2_method()); break; #endif case TLS_TLS1_3: #if defined(NO_TLS1_3) \|\| defined(OPENSSL_NO_TLS1_3) Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLS_method()); SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION); SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION); break; #endif default: break; } if (ctx == NULL) { Tcl_AppendResult(interp, REASON(), NULL);
︙			︙
603 604 605 606 607 608 609 ~~610 611~~ 612 613 614 615 616 617 618 619 620 621 622 623 624 625 ~~626~~ 627 628 629 630 631 632 633	sk = SSL_get_ciphers(ssl); for (index = 0; index < sk_SSL_CIPHER_num(sk); index++) { register size_t i; SSL_CIPHER_description( sk_SSL_CIPHER_value( sk, index), buf, sizeof(buf)); for (i = strlen(buf) - 1; i ; i--) { ~~if (buf[i] == ' ' \|\| buf[i] == '\n' \|\| buf[i] == '\r' \|\| buf[i] == '\t') {~~ buf[i] = '\0'; } else { break; } } Tcl_ListObjAppendElement( interp, objPtr, Tcl_NewStringObj( buf, -1) ); } } SSL_free(ssl); SSL_CTX_free(ctx); Tcl_SetObjResult( interp, objPtr); return TCL_OK; ~~clientData = clientData;~~ } /* ------------------------------------------------------------------- * HandshakeObjCmd -- *	\| \| \|	610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640	sk = SSL_get_ciphers(ssl); for (index = 0; index < sk_SSL_CIPHER_num(sk); index++) { register size_t i; SSL_CIPHER_description( sk_SSL_CIPHER_value( sk, index), buf, sizeof(buf)); for (i = strlen(buf) - 1; i ; i--) { if ((buf[i] == ' ') \|\| (buf[i] == '\n') \|\| (buf[i] == '\r') \|\| (buf[i] == '\t')) { buf[i] = '\0'; } else { break; } } Tcl_ListObjAppendElement( interp, objPtr, Tcl_NewStringObj( buf, -1) ); } } SSL_free(ssl); SSL_CTX_free(ctx); Tcl_SetObjResult( interp, objPtr); return TCL_OK; clientData = clientData; } /* ------------------------------------------------------------------- * HandshakeObjCmd -- *
︙			︙
680 681 682 683 684 685 686 ~~687~~ 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 ~~706~~ 707 708 709 710 711 712 713	dprintf("Async set and err = EAGAIN"); ret = 0; } else if (ret < 0) { errStr = statePtr->err; Tcl_ResetResult(interp); Tcl_SetErrno(err); ~~if (!errStr \|\| errStr == 0) {~~ errStr = Tcl_PosixError(interp); } Tcl_AppendResult(interp, "handshake failed: ", errStr, (char ) NULL); dprintf("Returning TCL_ERROR with handshake failed: %s", errStr); return(TCL_ERROR); } else { if (err != 0) { dprintf("Got an error with a completed handshake: err = %i", err); } ret = 1; } dprintf("Returning TCL_OK with data \"%i\"", ret); Tcl_SetObjResult(interp, Tcl_NewIntObj(ret)); return(TCL_OK); ~~clientData = clientData;~~ } /* ------------------------------------------------------------------- * ImportObjCmd -- *	\| \|	687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720	dprintf("Async set and err = EAGAIN"); ret = 0; } else if (ret < 0) { errStr = statePtr->err; Tcl_ResetResult(interp); Tcl_SetErrno(err); if (!errStr \|\| (errStr == 0)) { errStr = Tcl_PosixError(interp); } Tcl_AppendResult(interp, "handshake failed: ", errStr, (char ) NULL); dprintf("Returning TCL_ERROR with handshake failed: %s", errStr); return(TCL_ERROR); } else { if (err != 0) { dprintf("Got an error with a completed handshake: err = %i", err); } ret = 1; } dprintf("Returning TCL_OK with data \"%i\"", ret); Tcl_SetObjResult(interp, Tcl_NewIntObj(ret)); return(TCL_OK); clientData = clientData; } /* ------------------------------------------------------------------- * ImportObjCmd -- *
︙			︙
753 754 755 756 757 758 759 ~~760~~ 761 762 ~~763~~ 764 765 ~~766~~ 767 768 ~~769~~ 770 771 ~~772~~ 773 774 ~~775~~ 776 777 778 779 780 781 782	int ssl2 = 0, ssl3 = 0; int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1; int proto = 0; int verify = 0, require = 0, request = 1; dprintf("Called"); ~~#if defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_SSL3) && !defined(NO_SSL2)~~ ssl2 = 1; #endif ~~#if defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_SSL2) && !defined(NO_SSL3)~~ ssl3 = 1; #endif ~~#if defined(NO_TLS1)~~ tls1 = 0; #endif ~~#if defined(NO_TLS1_1)~~ tls1_1 = 0; #endif ~~#if defined(NO_TLS1_2)~~ tls1_2 = 0; #endif ~~#if defined(NO_TLS1_3)~~ tls1_3 = 0; #endif if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?"); return TCL_ERROR; }	\| \| \| \| \| \|	760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789	int ssl2 = 0, ssl3 = 0; int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1; int proto = 0; int verify = 0, require = 0, request = 1; dprintf("Called"); #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_NO_SSL2) && defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_TLS1_3) && defined(NO_SSL3) && !defined(NO_SSL2) ssl2 = 1; #endif #if !defined(OPENSSL_NO_SSL3) && defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_TLS1_3) && defined(NO_SSL2) && !defined(NO_SSL3) ssl3 = 1; #endif #if defined(NO_TLS1) \|\| defined(OPENSSL_NO_TLS1) tls1 = 0; #endif #if defined(NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1) tls1_1 = 0; #endif #if defined(NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2) tls1_2 = 0; #endif #if defined(NO_TLS1_3) \|\| defined(OPENSSL_NO_TLS1_3) tls1_3 = 0; #endif if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?"); return TCL_ERROR; }
︙			︙
806 807 808 809 810 811 812 ~~813~~ 814 815 816 817 818 819 820 821 822 823 824 825 ~~826~~ 827 828 829 830 831 832 833	OPTSTR( "-keyfile", keyfile); OPTSTR( "-model", model); OPTOBJ( "-password", password); OPTBOOL( "-require", require); OPTBOOL( "-request", request); OPTBOOL( "-server", server); #ifndef OPENSSL_NO_TLSEXT ~~OPTSTR( "-servername", servername);~~ OPTOBJ( "-alpn", alpn); #endif OPTBOOL( "-ssl2", ssl2); OPTBOOL( "-ssl3", ssl3); OPTBOOL( "-tls1", tls1); OPTBOOL( "-tls1.1", tls1_1); OPTBOOL( "-tls1.2", tls1_2); OPTBOOL( "-tls1.3", tls1_3); OPTBYTE("-cert", cert, cert_len); OPTBYTE("-key", key, key_len); OPTBAD( "option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -command, -dhparams, -key, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, or tls1.3"); return TCL_ERROR; } if (request) verify \|= SSL_VERIFY_CLIENT_ONCE \| SSL_VERIFY_PEER; if (request && require) verify \|= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; if (verify == 0) verify = SSL_VERIFY_NONE;	\| \|	813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840	OPTSTR( "-keyfile", keyfile); OPTSTR( "-model", model); OPTOBJ( "-password", password); OPTBOOL( "-require", require); OPTBOOL( "-request", request); OPTBOOL( "-server", server); #ifndef OPENSSL_NO_TLSEXT OPTSTR( "-servername", servername); OPTOBJ( "-alpn", alpn); #endif OPTBOOL( "-ssl2", ssl2); OPTBOOL( "-ssl3", ssl3); OPTBOOL( "-tls1", tls1); OPTBOOL( "-tls1.1", tls1_1); OPTBOOL( "-tls1.2", tls1_2); OPTBOOL( "-tls1.3", tls1_3); OPTBYTE("-cert", cert, cert_len); OPTBYTE("-key", key, key_len); OPTBAD( "option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -command, -dhparams, -key, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, or -tls1.3"); return TCL_ERROR; } if (request) verify \|= SSL_VERIFY_CLIENT_ONCE \| SSL_VERIFY_PEER; if (request && require) verify \|= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; if (verify == 0) verify = SSL_VERIFY_NONE;
︙			︙
880 881 882 883 884 885 886 ~~887 888 889 890~~ 891 892 893 894 895 896 897	/* Get the "model" context / chan = Tcl_GetChannel(interp, model, &mode); if (chan == (Tcl_Channel) NULL) { Tls_Free((char ) statePtr); return TCL_ERROR; } ~~/* * Make sure to operate on the topmost channel / chan = Tcl_GetTopChannel(chan);~~ if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), "\": not a TLS channel", NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx;	\| \| \| \|	887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904	/* Get the "model" context / chan = Tcl_GetChannel(interp, model, &mode); if (chan == (Tcl_Channel) NULL) { Tls_Free((char ) statePtr); return TCL_ERROR; } /* * Make sure to operate on the topmost channel / chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), "\": not a TLS channel", NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx;
︙			︙
948 949 950 951 952 953 954 ~~955 956 957 958 959 960~~ 961 962 963 964 965 966 967	(char ) NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } #ifndef OPENSSL_NO_TLSEXT if (servername) { if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) { Tcl_AppendResult(interp, "setting TLS host name extension failed", (char ) NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } } if (alpn) { /* Convert a Tcl list into a protocol-list in wire-format / unsigned char protos, p; unsigned int protoslen = 0; int i, len, cnt; Tcl_Obj *list;	\| \| \| \| \| \|	955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974	(char ) NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } #ifndef OPENSSL_NO_TLSEXT if (servername) { if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) { Tcl_AppendResult(interp, "setting TLS host name extension failed", (char ) NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } } if (alpn) { /* Convert a Tcl list into a protocol-list in wire-format / unsigned char protos, p; unsigned int protoslen = 0; int i, len, cnt; Tcl_Obj *list;
︙			︙
1028 1029 1030 1031 1032 1033 1034 ~~1035~~ 1036 1037 1038 1039 1040 1041 1042	/* * End of SSL Init / dprintf("Returning %s", Tcl_GetChannelName(statePtr->self)); Tcl_SetResult(interp, (char ) Tcl_GetChannelName(statePtr->self), TCL_VOLATILE); return TCL_OK; ~~clientData = clientData;~~ } /* ------------------------------------------------------------------- * UnimportObjCmd -- *	\|	1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049	/* * End of SSL Init / dprintf("Returning %s", Tcl_GetChannelName(statePtr->self)); Tcl_SetResult(interp, (char ) Tcl_GetChannelName(statePtr->self), TCL_VOLATILE); return TCL_OK; clientData = clientData; } /* ------------------------------------------------------------------- * UnimportObjCmd -- *
︙			︙
1079 1080 1081 1082 1083 1084 1085 ~~1086~~ 1087 1088 1089 1090 1091 1092 1093	} if (Tcl_UnstackChannel(interp, chan) == TCL_ERROR) { return TCL_ERROR; } return TCL_OK; ~~clientData = clientData;~~ } /* ------------------------------------------------------------------- * CTX_Init -- construct a SSL_CTX instance *	\|	1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100	} if (Tcl_UnstackChannel(interp, chan) == TCL_ERROR) { return TCL_ERROR; } return TCL_OK; clientData = clientData; } /* ------------------------------------------------------------------- * CTX_Init -- construct a SSL_CTX instance *
︙			︙
1116 1117 1118 1119 1120 1121 1122 ~~1123~~ 1124 1125 1126 1127 1128 ~~1129~~ 1130 1131 1132 1133 1134 ~~1135~~ 1136 1137 1138 1139 1140 ~~1141~~ 1142 1143 1144 1145 1146 ~~1147~~ 1148 1149 1150 1151 1152 ~~1153~~ 1154 1155 1156 1157 1158 1159 1160 ~~1161~~ 1162 1163 1164 1165 ~~1166~~ 1167 1168 1169 1170 ~~1171~~ 1172 1173 1174 1175 ~~1176~~ 1177 1178 1179 1180 ~~1181~~ 1182 1183 1184 1185 ~~1186~~ 1187 ~~1188 1189 1190 1191 1192~~ 1193 1194 1195 1196 ~~1197~~ ~~1198~~ 1199 ~~1200~~ 1201 ~~1202~~ 1203 1204 ~~1205~~ 1206 1207 ~~1208~~ 1209 1210 ~~1211~~ 1212 1213 ~~1214~~ 1215 1216 ~~1217~~ 1218 1219 1220 1221 1222 1223 1224 1225 ~~1226~~ 1227 1228 1229 1230 1231 1232 ~~1233~~ 1234 ~~1235 1236~~ 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249	if (!proto) { Tcl_AppendResult(interp, "no valid protocol selected", NULL); return (SSL_CTX )0; } / create SSL context / ~~#if defined(NO_SSL2)~~ if (ENABLED(proto, TLS_PROTO_SSL2)) { Tcl_AppendResult(interp, "SSL2 protocol not supported", NULL); return (SSL_CTX )0; } #endif ~~#if defined(NO_SSL3)~~ if (ENABLED(proto, TLS_PROTO_SSL3)) { Tcl_AppendResult(interp, "SSL3 protocol not supported", NULL); return (SSL_CTX )0; } #endif ~~#if defined(NO_TLS1)~~ if (ENABLED(proto, TLS_PROTO_TLS1)) { Tcl_AppendResult(interp, "TLS 1.0 protocol not supported", NULL); return (SSL_CTX )0; } #endif ~~#if defined(NO_TLS1_1)~~ if (ENABLED(proto, TLS_PROTO_TLS1_1)) { Tcl_AppendResult(interp, "TLS 1.1 protocol not supported", NULL); return (SSL_CTX )0; } #endif ~~#if defined(NO_TLS1_2)~~ if (ENABLED(proto, TLS_PROTO_TLS1_2)) { Tcl_AppendResult(interp, "TLS 1.2 protocol not supported", NULL); return (SSL_CTX )0; } #endif ~~#if defined(NO_TLS1_3)~~ if (ENABLED(proto, TLS_PROTO_TLS1_3)) { Tcl_AppendResult(interp, "TLS 1.3 protocol not supported", NULL); return (SSL_CTX )0; } #endif switch (proto) { ~~#if !defined(NO_SSL2)~~ case TLS_PROTO_SSL2: method = SSLv2_method(); break; #endif ~~#if !defined(NO_SSL3)~~ case TLS_PROTO_SSL3: method = SSLv3_method(); break; #endif ~~#if !defined(NO_TLS1)~~ case TLS_PROTO_TLS1: method = TLSv1_method(); break; #endif ~~#if !defined(NO_TLS1_1)~~ case TLS_PROTO_TLS1_1: method = TLSv1_1_method(); break; #endif ~~#if !defined(NO_TLS1_2)~~ case TLS_PROTO_TLS1_2: method = TLSv1_2_method(); break; #endif ~~#if !defined(NO_TLS1_3)~~ case TLS_PROTO_TLS1_3: ~~/ * The version range is constrained below, * after the context is created. Use the * generic method here. /~~ method = TLS_method(); break; #endif default: ~~#if~~def~~ HAVE_TL~~S_METHOD~~~~ ~~method = TLS_method();~~ #else ~~method = SSLv23_method();~~ #endif ~~#if !defined(NO_SSL2)~~ off \|= (ENABLED(proto, TLS_PROTO_SSL2) ? 0 : SSL_OP_NO_SSLv2); #endif ~~#if !defined(NO_SSL3)~~ off \|= (ENABLED(proto, TLS_PROTO_SSL3) ? 0 : SSL_OP_NO_SSLv3); #endif ~~#if !defined(NO_TLS1)~~ off \|= (ENABLED(proto, TLS_PROTO_TLS1) ? 0 : SSL_OP_NO_TLSv1); #endif ~~#if !defined(NO_TLS1_1)~~ off \|= (ENABLED(proto, TLS_PROTO_TLS1_1) ? 0 : SSL_OP_NO_TLSv1_1); #endif ~~#if !defined(NO_TLS1_2)~~ off \|= (ENABLED(proto, TLS_PROTO_TLS1_2) ? 0 : SSL_OP_NO_TLSv1_2); #endif ~~#if !defined(NO_TLS1_3)~~ off \|= (ENABLED(proto, TLS_PROTO_TLS1_3) ? 0 : SSL_OP_NO_TLSv1_3); #endif break; } ctx = SSL_CTX_new(method); if (!ctx) { ~~return(NULL);~~ } if (getenv(SSLKEYLOGFILE)) { SSL_CTX_set_keylog_callback(ctx, KeyLogCallback); } ~~#if !defined(NO_TLS1_3)~~ if (proto == TLS_PROTO_TLS1_3) { ~~SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION); SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION);~~ } #endif SSL_CTX_set_app_data( ctx, (void)interp); /* remember the interpreter / SSL_CTX_set_options( ctx, SSL_OP_ALL); / all SSL bug workarounds / SSL_CTX_set_options( ctx, off); / all SSL bug workarounds / SSL_CTX_sess_set_cache_size( ctx, 128); if (ciphers != NULL) SSL_CTX_set_cipher_list(ctx, ciphers); / set some callbacks */ SSL_CTX_set_default_passwd_cb(ctx, PasswordCallback);	\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| > \| \| \| \| \| \| \| \| \| \| \| \| > > >	1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260	if (!proto) { Tcl_AppendResult(interp, "no valid protocol selected", NULL); return (SSL_CTX )0; } / create SSL context / #if OPENSSL_VERSION_NUMBER >= 0x10101000L \|\| defined(NO_SSL2) \|\| defined(OPENSSL_NO_SSL2) if (ENABLED(proto, TLS_PROTO_SSL2)) { Tcl_AppendResult(interp, "SSL2 protocol not supported", NULL); return (SSL_CTX )0; } #endif #if defined(NO_SSL3) \|\| defined(OPENSSL_NO_SSL3) if (ENABLED(proto, TLS_PROTO_SSL3)) { Tcl_AppendResult(interp, "SSL3 protocol not supported", NULL); return (SSL_CTX )0; } #endif #if defined(NO_TLS1) \|\| defined(OPENSSL_NO_TLS1) if (ENABLED(proto, TLS_PROTO_TLS1)) { Tcl_AppendResult(interp, "TLS 1.0 protocol not supported", NULL); return (SSL_CTX )0; } #endif #if defined(NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1) if (ENABLED(proto, TLS_PROTO_TLS1_1)) { Tcl_AppendResult(interp, "TLS 1.1 protocol not supported", NULL); return (SSL_CTX )0; } #endif #if defined(NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2) if (ENABLED(proto, TLS_PROTO_TLS1_2)) { Tcl_AppendResult(interp, "TLS 1.2 protocol not supported", NULL); return (SSL_CTX )0; } #endif #if defined(NO_TLS1_3) \|\| defined(OPENSSL_NO_TLS1_3) if (ENABLED(proto, TLS_PROTO_TLS1_3)) { Tcl_AppendResult(interp, "TLS 1.3 protocol not supported", NULL); return (SSL_CTX )0; } #endif switch (proto) { #if OPENSSL_VERSION_NUMBER < 0x10101000L && !defined(NO_SSL2) && !defined(OPENSSL_NO_SSL2) case TLS_PROTO_SSL2: method = SSLv2_method(); break; #endif #if !defined(NO_SSL3) && !defined(OPENSSL_NO_SSL3) case TLS_PROTO_SSL3: method = SSLv3_method(); break; #endif #if !defined(NO_TLS1) && !defined(OPENSSL_NO_TLS1) case TLS_PROTO_TLS1: method = TLSv1_method(); break; #endif #if !defined(NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1) case TLS_PROTO_TLS1_1: method = TLSv1_1_method(); break; #endif #if !defined(NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2) case TLS_PROTO_TLS1_2: method = TLSv1_2_method(); break; #endif #if !defined(NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_3) case TLS_PROTO_TLS1_3: / * The version range is constrained below, * after the context is created. Use the * generic method here. / method = TLS_method(); break; #endif default: #if OPENSSL_VERSION_NUMBER >= 0x10100000L / Negotiate highest available SSL/TLS version / method = TLS_method(); #else method = SSLv23_method(); #endif #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(NO_SSL2) && !defined(OPENSSL_NO_SSL2) off \|= (ENABLED(proto, TLS_PROTO_SSL2) ? 0 : SSL_OP_NO_SSLv2); #endif #if !defined(NO_SSL3) && !defined(OPENSSL_NO_SSL3) off \|= (ENABLED(proto, TLS_PROTO_SSL3) ? 0 : SSL_OP_NO_SSLv3); #endif #if !defined(NO_TLS1) && !defined(OPENSSL_NO_TLS1) off \|= (ENABLED(proto, TLS_PROTO_TLS1) ? 0 : SSL_OP_NO_TLSv1); #endif #if !defined(NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1) off \|= (ENABLED(proto, TLS_PROTO_TLS1_1) ? 0 : SSL_OP_NO_TLSv1_1); #endif #if !defined(NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2) off \|= (ENABLED(proto, TLS_PROTO_TLS1_2) ? 0 : SSL_OP_NO_TLSv1_2); #endif #if !defined(NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_3) off \|= (ENABLED(proto, TLS_PROTO_TLS1_3) ? 0 : SSL_OP_NO_TLSv1_3); #endif break; } ctx = SSL_CTX_new(method); if (!ctx) { return(NULL); } if (getenv(SSLKEYLOGFILE)) { SSL_CTX_set_keylog_callback(ctx, KeyLogCallback); } #if !defined(NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_3) if (proto == TLS_PROTO_TLS1_3) { SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION); SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION); } #endif SSL_CTX_set_app_data( ctx, (void)interp); /* remember the interpreter / SSL_CTX_set_options( ctx, SSL_OP_ALL); / all SSL bug workarounds / SSL_CTX_set_options( ctx, off); / all SSL bug workarounds / #if OPENSSL_VERSION_NUMBER < 0x10101000L SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); / handle new handshakes in background / #endif SSL_CTX_sess_set_cache_size( ctx, 128); if (ciphers != NULL) SSL_CTX_set_cipher_list(ctx, ciphers); / set some callbacks */ SSL_CTX_set_default_passwd_cb(ctx, PasswordCallback);
︙			︙
1396 1397 1398 1399 1400 1401 1402 ~~1403~~ 1404 1405 1406 1407 1408 1409 1410	return (SSL_CTX )0; #endif } / https://sourceforge.net/p/tls/bugs/57/ / / XXX:TODO: Let the user supply values here instead of something that exists on the filesystem / if ( CAfile != NULL ) { ~~STACK_OF(X509_NAME) certNames = SSL_load_client_CA_file( F2N(CAfile, &ds) );~~ if ( certNames != NULL ) { SSL_CTX_set_client_CA_list(ctx, certNames ); } } Tcl_DStringFree(&ds); Tcl_DStringFree(&ds1);	\|	1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421	return (SSL_CTX )0; #endif } / https://sourceforge.net/p/tls/bugs/57/ / / XXX:TODO: Let the user supply values here instead of something that exists on the filesystem / if ( CAfile != NULL ) { STACK_OF(X509_NAME) certNames = SSL_load_client_CA_file( F2N(CAfile, &ds) ); if ( certNames != NULL ) { SSL_CTX_set_client_CA_list(ctx, certNames ); } } Tcl_DStringFree(&ds); Tcl_DStringFree(&ds1);
︙			︙
1486 1487 1488 1489 1490 1491 1492 ~~1493~~ 1494 1495 1496 1497 1498 1499 1500	Tcl_ListObjAppendElement (interp, objPtr, Tcl_NewStringObj ("sbits", -1)); Tcl_ListObjAppendElement (interp, objPtr, Tcl_NewIntObj (SSL_get_cipher_bits (statePtr->ssl, NULL))); ciphers = (char*)SSL_get_cipher(statePtr->ssl); ~~if (ciphers != NULL && strcmp(ciphers, "(NONE)")~~!=0~~) {~~ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("cipher", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_cipher(statePtr->ssl), -1)); } #ifndef OPENSSL_NO_TLSEXT	\|	1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511	Tcl_ListObjAppendElement (interp, objPtr, Tcl_NewStringObj ("sbits", -1)); Tcl_ListObjAppendElement (interp, objPtr, Tcl_NewIntObj (SSL_get_cipher_bits (statePtr->ssl, NULL))); ciphers = (char*)SSL_get_cipher(statePtr->ssl); if ((ciphers != NULL) && (strcmp(ciphers, "(NONE)") != 0)) { Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("cipher", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_cipher(statePtr->ssl), -1)); } #ifndef OPENSSL_NO_TLSEXT
︙			︙
1508 1509 1510 1511 1512 1513 1514 ~~1515~~ 1516 1517 1518 1519 1520 1521 1522	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("version", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_version(statePtr->ssl), -1)); Tcl_SetObjResult( interp, objPtr); return TCL_OK; ~~clientData = clientData;~~ } /* ------------------------------------------------------------------- * VersionObjCmd -- return version string from OpenSSL. *	\|	1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("version", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_version(statePtr->ssl), -1)); Tcl_SetObjResult( interp, objPtr); return TCL_OK; clientData = clientData; } /* ------------------------------------------------------------------- * VersionObjCmd -- return version string from OpenSSL. *
︙			︙
1534 1535 1536 1537 1538 1539 1540 ~~1541 1542 1543~~ 1544 1545 1546 1547 1548 1549 1550	dprintf("Called"); objPtr = Tcl_NewStringObj(OPENSSL_VERSION_TEXT, -1); Tcl_SetObjResult(interp, objPtr); return TCL_OK; ~~clientData = clientData; objc = objc; objv = objv;~~ } /* ------------------------------------------------------------------- * MiscObjCmd -- misc commands *	\| \| \|	1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561	dprintf("Called"); objPtr = Tcl_NewStringObj(OPENSSL_VERSION_TEXT, -1); Tcl_SetObjResult(interp, objPtr); return TCL_OK; clientData = clientData; objc = objc; objv = objv; } /* ------------------------------------------------------------------- * MiscObjCmd -- misc commands *
︙			︙
1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597	int listc,i; BIO out=NULL; char k_C="",k_ST="",k_L="",k_O="",k_OU="",k_CN="",k_Email=""; char keyout,pemout,*str; int keysize,serial=0,days=365; if ((objc<5) \|\| (objc>6)) { Tcl_WrongNumArgs(interp, 2, objv, "keysize keyfile certfile ?info?"); return TCL_ERROR; } if (Tcl_GetIntFromObj(interp, objv[2], &keysize) != TCL_OK) {	> > > > > > > > >	1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617	int listc,i; BIO out=NULL; char k_C="",k_ST="",k_L="",k_O="",k_OU="",k_CN="",k_Email=""; char keyout,pemout,str; int keysize,serial=0,days=365; #if OPENSSL_VERSION_NUMBER <= 0x10100000L RSA rsa = NULL; #elif OPENSSL_VERSION_NUMBER < 0x30000000L BIGNUM bne = NULL; RSA rsa = NULL; #else EVP_PKEY_CTX *ctx = NULL; #endif if ((objc<5) \|\| (objc>6)) { Tcl_WrongNumArgs(interp, 2, objv, "keysize keyfile certfile ?info?"); return TCL_ERROR; } if (Tcl_GetIntFromObj(interp, objv[2], &keysize) != TCL_OK) {