TclTLS: Changes On Branch 35832d0765288d85

Changes In Branch crypto Through [35832d0765] Excluding Merge-Ins

This is equivalent to a diff from 914ac6b2a4 to 35832d0765

2023-11-22
22:18		Fix to IO test missing set blocking value. See https://core.tcl-lang.org/tcltls/tktview/bb7085cfdc check-in: 104e43c85e user: bohagan tags: trunk
2023-11-19
23:20		Added test cases for get cipher and digest info commands check-in: 5a64d9be3f user: bohagan tags: crypto
02:55		Added get cipher info command to return properties of a cipher check-in: 35832d0765 user: bohagan tags: crypto
2023-11-18
18:55		Added get digest info command to return properties of a digest check-in: e47bd35656 user: bohagan tags: crypto
2023-10-28
17:30		Merged in changes from master check-in: 1de7e0ec74 user: bohagan tags: crypto
17:20		Optimized TLS channel type definition check-in: 914ac6b2a4 user: bohagan tags: trunk
2023-10-09
19:08		Updated to latest TEA and Tcl Config check-in: ec0cc9fbdf user: bohagan tags: trunk

Modified configure from [4c56eae107] to [285f813da9].

Modified configure.ac from [ac9d3aa5eb] to [48f68fd73a].

Modified doc/tls.html from [9494c1c42e] to [cb37aa64df].

Modified generic/tclOpts.h from [fee5089a30] to [c197957f96].

Modified generic/tls.c from [f4a59d7949] to [0db9f8be24].

Modified generic/tlsBIO.c from [904acc3cbd] to [3977ec0a04].

Added generic/tlsDigest.c version [294d716507].

Modified generic/tlsIO.c from [fb8d969c33] to [0b06e53585].

Added generic/tlsInfo.c version [07e090db04].

Modified generic/tlsInt.h from [0103fefac9] to [f793362aa1].

Modified generic/tlsX509.c from [a931d05109] to [ead2e837f3].

Modified tests/badssl.csv from [8df90efe9b] to [3b4cb80289].

Modified tests/badssl.test from [66893a8fa7] to [89e2c5b1af].

Deleted tests/ciphers.csv version [f4aff3652a].

Deleted tests/ciphers.test version [212c1bf055].

Added tests/common.tcl version [019f917847].

Added tests/digest.csv version [01ba038a9c].

Added tests/digest.test version [7beb0ce3a7].

Added tests/info.csv version [c468f266e4].

Added tests/info.test version [b0b4c54bea].

Modified tests/make_test_files.tcl from [c31b96320d] to [7a3f2ae871].

Modified win/makefile.vc from [11d5b7bf2c] to [f23472ab04].

︙			︙
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 ~~68 69~~ 70 71 72 73 74 75 76	<dd><b>tls::socket</b> <em> ?-server command? ?options? port</em></dd> <dd><b>tls::handshake</b> <em> channel</em></dd> <dd><b>tls::status </b> <em>?-local? channel</em></dd> <dd><b>tls::connection </b> <em>channel</em></dd> <dd><b>tls::import</b> <em>channel ?options?</em></dd> <dd><b>tls::unimport</b> <em>channel</em></dd> <dt> </dt> ~~<dd><b>tls::ciphers </b> <em>protocol ?verbose? ?supported?</em></dd>~~ <dd><b>tls::protocols</b></dd> <dd><b>tls::version</b></dd> </dl> </dd> <dd><a href="#COMMANDS">COMMANDS</a></dd> <dd><a href="#CALLBACK OPTIONS">CALLBACK OPTIONS</a></dd> <dd><a href="#HTTPS EXAMPLE">HTTPS EXAMPLE</a></dd> <dd><a href="#SEE ALSO">SPECIAL CONSIDERATIONS</a></dd> <dd><a href="#SEE ALSO">SEE ALSO</a></dd> </dl> <hr> <h3><a name="NAME">NAME</a></h3> <p><strong>tls</strong> - binding to <strong>OpenSSL</strong> toolkit.</p> <h3><a name="SYNOPSIS">SYNOPSIS</a></h3> ~~<p><b>package require Tcl 8.4</b><br>~~ <b>package require tls</b><br> <br> <a href="#tls::init"><b>tls::init</b> <i>?options?</i></a><br> <a href="#tls::socket"><b>tls::socket</b> <i>?options? host port</i><br> <a href="#tls::socket"><b>tls::socket</b> <i>?-server command? ?options? port</i></a><br> <a href="#tls::status"><b>tls::status</b> <i>?-local? channel</i></a><br> <a href="#tls::connection"><b>tls::connection</b> <i>channel</i></a><br> <a href="#tls::handshake"><b>tls::handshake</b> <i>channel</i></a><br> <a href="#tls::import"><b>tls::import</b> <i>channel ?options?</i></a><br> <a href="#tls::unimport"><b>tls::unimport</b> <i>channel</i></a><br> <br> ~~<a href="#tls::ciphers"><b>tls::ciphers</b> <i>protocol ?verbose? ?supported?</i></a><br>~~ ~~<a href="#tls::protocols"><b>tls::protocols</b></a> <a href="#tls::version"><b>tls::version</b></a>~~ </p> <h3><a name="DESCRIPTION">DESCRIPTION</a></h3> <p>This extension provides a generic binding to <a href="http://www.openssl.org/">OpenSSL</a>, utilizing the <strong>Tcl_StackChannel</strong>	> \| > > > > > > > > > > > \| > \| > > \| \| > > > > > > > > >	27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100	<dd><b>tls::socket</b> <em> ?-server command? ?options? port</em></dd> <dd><b>tls::handshake</b> <em> channel</em></dd> <dd><b>tls::status </b> <em>?-local? channel</em></dd> <dd><b>tls::connection </b> <em>channel</em></dd> <dd><b>tls::import</b> <em>channel ?options?</em></dd> <dd><b>tls::unimport</b> <em>channel</em></dd> <dt> </dt> <dd><b>tls::cipher</b> <em>name</em></dd> <dd><b>tls::ciphers</b> <em>?protocol? ?verbose? ?supported?</em></dd> <dd><b>tls::digests</b> <em>?name?</em></dd> <dd><b>tls::macs</b></dd> <dd><b>tls::protocols</b></dd> <dd><b>tls::version</b></dd> <dt> </dt> <dd><b>tls::digest</b> <b>-digest</b> <em>name ?options?</em></dd> <dd><b>tls::cmac</b> <b>-cipher</b> <em>name</em> <b>-key</b> <em>key ?options?</em></dd> <dd><b>tls::hmac</b> <b>-digest</b> <em>name</em> <b>-key</b> <em>key ?options?</em></dd> <dd><b>tls::md4</b> <em>data</em></dd> <dd><b>tls::md5</b> <em>data</em></dd> <dd><b>tls::sha1</b> <em>data</em></dd> <dd><b>tls::sha256</b> <em>data</em></dd> <dd><b>tls::sha512</b> <em>data</em></dd> </dl> </dd> <dd><a href="#COMMANDS">COMMANDS</a></dd> <dd><a href="#CALLBACK OPTIONS">CALLBACK OPTIONS</a></dd> <dd><a href="#HTTPS EXAMPLE">HTTPS EXAMPLE</a></dd> <dd><a href="#SEE ALSO">SPECIAL CONSIDERATIONS</a></dd> <dd><a href="#SEE ALSO">SEE ALSO</a></dd> </dl> <hr> <h3><a name="NAME">NAME</a></h3> <p><strong>tls</strong> - binding to <strong>OpenSSL</strong> toolkit.</p> <h3><a name="SYNOPSIS">SYNOPSIS</a></h3> <p><b>package require Tcl 8.5</b><br> <b>package require tls</b><br> <br> <a href="#tls::init"><b>tls::init</b> <i>?options?</i></a><br> <a href="#tls::socket"><b>tls::socket</b> <i>?options? host port</i><br> <a href="#tls::socket"><b>tls::socket</b> <i>?-server command? ?options? port</i></a><br> <a href="#tls::status"><b>tls::status</b> <i>?-local? channel</i></a><br> <a href="#tls::connection"><b>tls::connection</b> <i>channel</i></a><br> <a href="#tls::handshake"><b>tls::handshake</b> <i>channel</i></a><br> <a href="#tls::import"><b>tls::import</b> <i>channel ?options?</i></a><br> <a href="#tls::unimport"><b>tls::unimport</b> <i>channel</i></a><br> <br> <a href="#tls::cipher"><b>tls::cipher</b> <i>name</i></a><br> <a href="#tls::ciphers"><b>tls::ciphers</b> <i>?protocol? ?verbose? ?supported?</i></a><br> <a href="#tls::digests"><b>tls::digests</b> <i>?name?</i></a><br> <a href="#tls::macs"><b>tls::macs</b></a><br> <a href="#tls::protocols"><b>tls::protocols</b></a><br> <a href="#tls::version"><b>tls::version</b></a><br> <br> <a href="#tls::digest"><b>tls::digest</b> <b>-digest</b> <i>name ?options?</i></a><br> <a href="#tls::cmac"><b>tls::cmac</b> <b>-cipher</b> <i>name</i> <b>-key</b> <i>key ?options?</i></a><br> <a href="#tls::hmac"><b>tls::hmac</b> <b>-digest</b> <i>name</i> <b>-key</b> <i>key ?options?</i></a><br> <a href="#tls::md4"><b>tls::md4</b> <i>data</i></a><br> <a href="#tls::md5"><b>tls::md5</b> <i>data</i></a><br> <a href="#tls::sha1"><b>tls::sha1</b> <i>data</i></a><br> <a href="#tls::sha256"><b>tls::sha256</b> <i>data</i></a><br> <a href="#tls::sha512"><b>tls::sha512</b> <i>data</i></a><br> </p> <h3><a name="DESCRIPTION">DESCRIPTION</a></h3> <p>This extension provides a generic binding to <a href="http://www.openssl.org/">OpenSSL</a>, utilizing the <strong>Tcl_StackChannel</strong>
︙			︙
409 410 411 412 413 414 415 416 417 ~~418 419~~ ~~420 421 422 423 424 425~~ 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441	<dd>Unique session ticket application data.</dd> <dt><strong>master_key</strong> <em>binary_string</em></dt> <dd>Unique session master key.</dd> <dt><strong>session_cache_mode</strong> <em>mode</em></dt> <dd>Server cache mode (client, server, or both).</dd> </dl> </blockquote> <dt><a name="tls::ciphers"><strong>tls::ciphers</strong> ~~<em>protocol ?verbose? ?supported?</em></a></dt> <dd>Returns a list of ~~supported~~ ciphers ~~available for~~ <em>protocol</em>,~~ ~~where~~ protocol ~~must be one of <b>ssl2, ssl3, tls1, tls1.1,~~ ~~tls1.2,</b> or <b>tls1.3</b>. If <em>verbose</em> is specified as~~ true then a verbose, human readable ~~list is returned with~~ additional information on the cipher. If ~~<em>supported</em>~~ is specified as true, then only the ciphers ~~supported for protocol~~ will be listed.</dd> <dt><a name="tls::protocols"><strong>tls::protocols</strong></a></dt> <dd>Returns a list of supported protocols. Valid values are: <b>ssl2</b>, <b>ssl3</b>, <b>tls1</b>, <b>tls1.1</b>, <b>tls1.2</b>, and <b>tls1.3</b>. Exact list depends on OpenSSL version and compile time flags.</dd> <dt><a name="tls::version"><strong>tls::version</strong></a></dt> <dd>Returns the OpenSSL version string.</dd> </dl> <h3><a name="CALLBACK OPTIONS">CALLBACK OPTIONS</a></h3> <p> As indicated above, individual channels can be given their own callbacks to handle intermediate processing by the OpenSSL library, using the	> > > > > \| \| > \| < \| \| \| \| > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >	433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541	<dd>Unique session ticket application data.</dd> <dt><strong>master_key</strong> <em>binary_string</em></dt> <dd>Unique session master key.</dd> <dt><strong>session_cache_mode</strong> <em>mode</em></dt> <dd>Server cache mode (client, server, or both).</dd> </dl> </blockquote> <dt><a name="tls::cipher"><strong>tls::cipher</strong> <em>name</em></a></dt> <dd>Return a list of property names and values describing cipher <i>name</i>. Properties include name, description, block_size, key_length, iv_length, type, and mode list.</dd> <dt><a name="tls::ciphers"><strong>tls::ciphers</strong> <em>?protocol? ?verbose? ?supported?</em></a></dt> <dd>Without any args, returns a list of all ciphers. With <em>protocol</em>, only the ciphers supported for that protocol are returned. See <b>tls::protocols</b> command for the supported protocols. If <em>verbose</em> is specified as true then a verbose, human readable list is returned with additional information on the cipher. If <em>supported</em> is specified as true, then only the ciphers supported for protocol will be listed.</dd> <dt><a name="tls::digests"><strong>tls::digests</strong> <em>?name?</em></a></dt> <dd>Without <em>name</em>, returns a list of the supported hash algorithms for <b>tls::digest</b> command. With <em>name</em>, returns a list of property names and values describing digest <i>name</i>. Properties include name, description, size, block_size, type, and flags list.</dd> <dt><a name="tls::macs"><strong>tls::macs</strong></a></dt> <dd>Returns a list of the available Message Authentication Codes (MAC) for the <b>tls::digest</b> command.</dd> <dt><a name="tls::protocols"><strong>tls::protocols</strong></a></dt> <dd>Returns a list of supported protocols. Valid values are: <b>ssl2</b>, <b>ssl3</b>, <b>tls1</b>, <b>tls1.1</b>, <b>tls1.2</b>, and <b>tls1.3</b>. Exact list depends on OpenSSL version and compile time flags.</dd> <dt><a name="tls::version"><strong>tls::version</strong></a></dt> <dd>Returns the OpenSSL version string.</dd> <br> <dt><a name="tls::digest"><strong>tls::digest</strong> <b>-digest</b> <em>name ?-bin\|-hex? [-file filename \| -command cmdName \| -chan channelId \| -data data]</em></a></dt> <dd>Calculate the message digest for data using <em>digest</em> hash function. Returns value as a hex string (default) or as a binary value with <b>-bin</b> or <b>-binary</b> option. Digest can be any OpenSSL supported hash function including: <b>md4</b>, <b>md5</b>, <b>sha1</b>, <b>sha256</b>, <b>sha512</b>, <b>sha3-256</b>, etc. See <b>tls::digests</b> command for a full list. <br> Using the <b>-data</b> option will immediately return the message digest for <em>data</em> in the specified format. <br> Using the <b>-file</b> or <b>-filename</b> option will open file <em>filename</em>, read the file data, close the file, and return the message digest in the specified format. This uses the TCL APIs, so VFS files are supported. <br> Using the <b>-chan</b> or <b>-channel</b> option, a stacked channel is created for <em>channelId</em> and data read from the channel is used to calculate a message digest with the result returned with the last read operation before EOF. Channel is automatically set to binary mode. <br> Using the <b>-command</b> option, a new command <em>cmdName</em> is created and returned. To add data to the hash function, call "<em>cmdName</em> <b>update</b> <em>data</em>", where data is the data to add. When done, call "<em>cmdName</em> <b>finalize</b>" to return the message digest. </dd> <dt><a name="tls::cmac"><strong>tls::cmac</strong> <b>-cipher</b> <em>name</em> <b>-key</b> <em>key ?-bin\|-hex? [-file filename \| -command cmdName \| -chan channelId \| -data data]</em></a></dt> <dd>Calculate the Cipher-based Message Authentication Code (CMAC). Same arguments as <b>tls::digest</b> with additional option <b>-cipher</b> to specify the cipher to use and for certain ciphers, <b>-key</b> to specify the key.</dd> <dt><a name="tls::hmac"><strong>tls::hmac</strong> <b>-digest</b> <em>name</em> <b>-key</b> <em>key ?-bin\|-hex? [-file filename \| -command cmdName \| -chan channelId \| -data data]</em></a></dt> <dd>Calculate the Hashed Message Authentication Code (HMAC). Same arguments as <b>tls::digest</b> with additional option <b>-key</b> to specify the key to use. To salt a password, append or prepend the salt data to the password. </dd> <dt><a name="tls::md4"><strong>tls::md4</strong> <em>data</em></a></dt> <dd>Returns the MD4 message-digest for <em>data</em> as a hex string.</dd> <dt><a name="tls::md5"><strong>tls::md5</strong> <em>data</em></a></dt> <dd>Returns the MD5 message-digest for <em>data</em> as a hex string.</dd> <dt><a name="tls::sha1"><strong>tls::sha1</strong> <em>data</em></a></dt> <dd>Returns the SHA1 secure hash algorithm digest for <em>data</em> as a hex string.</dd> <dt><a name="tls::sha256"><strong>tls::sha256</strong> <em>data</em></a></dt> <dd>Returns the SHA-2 SHA256 secure hash algorithm digest for <em>data</em> as a hex string.</dd> <dt><a name="tls::sha512"><strong>tls::sha512</strong> <em>data</em></a></dt> <dd>Returns the SHA-2 SHA512 secure hash algorithm digest for <em>data</em> as a hex string.</dd> </dl> <h3><a name="CALLBACK OPTIONS">CALLBACK OPTIONS</a></h3> <p> As indicated above, individual channels can be given their own callbacks to handle intermediate processing by the OpenSSL library, using the
︙			︙

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 ~~23 24~~ 25 26 27 28 29 30 31	/* * Copyright (C) 1997-2000 Matt Newman <[email protected]> * * Provides BIO layer to interface openssl to Tcl. / #include "tlsInt.h" static int BioWrite(BIO bio, const char buf, int bufLen) { Tcl_Channel chan; ~~~~Tcl_Size~~ ret;~~ int tclEofChan, tclErrno; chan = Tls_GetParent((State ) BIO_get_data(bio), 0); dprintf("[chan=%p] BioWrite(%p, <buf>, %d)", (void )chan, (void ) bio, bufLen); ~~ret = Tcl_WriteRaw(chan, buf, ~~(Tcl_Size)~~ bufLen);~~ tclEofChan = Tcl_Eof(chan); tclErrno = Tcl_GetErrno(); ~~~~dprintf("[chan=%p] BioWrite(%d) -> %" TCL_SIZE_MODIFIER "d [tclEof=%d; tclErrno=%d]",~~ (void *) chan, bufLen, ret, tclEofChan, Tcl_GetErrno());~~ BIO_clear_flags(bio, BIO_FLAGS_WRITE \| BIO_FLAGS_SHOULD_RETRY); if (tclEofChan && ret <= 0) { dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF"); Tcl_SetErrno(ECONNRESET); ret = 0;	\| \| < \|	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30	/* * Copyright (C) 1997-2000 Matt Newman <[email protected]> * * Provides BIO layer to interface openssl to Tcl. / #include "tlsInt.h" static int BioWrite(BIO bio, const char buf, int bufLen) { Tcl_Channel chan; int ret; int tclEofChan, tclErrno; chan = Tls_GetParent((State ) BIO_get_data(bio), 0); dprintf("[chan=%p] BioWrite(%p, <buf>, %d)", (void )chan, (void ) bio, bufLen); ret = (int) Tcl_WriteRaw(chan, buf, bufLen); tclEofChan = Tcl_Eof(chan); tclErrno = Tcl_GetErrno(); dprintf("[chan=%p] BioWrite(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, Tcl_GetErrno()); BIO_clear_flags(bio, BIO_FLAGS_WRITE \| BIO_FLAGS_SHOULD_RETRY); if (tclEofChan && ret <= 0) { dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF"); Tcl_SetErrno(ECONNRESET); ret = 0;
︙			︙
51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 ~~79 80~~ 81 82 83 84 85 86 87	if (ret != -1 \|\| (ret == -1 && tclErrno == EAGAIN)) { if (BIO_should_read(bio)) { dprintf("Setting should retry read flag"); BIO_set_retry_read(bio); } } ~~return(~~(int)~~ ret);~~ } static int BioRead(BIO bio, char buf, int bufLen) { Tcl_Channel chan; Tcl_Size ret = 0; int tclEofChan, tclErrno; chan = Tls_GetParent((State ) BIO_get_data(bio), 0); dprintf("[chan=%p] BioRead(%p, <buf>, %d)", (void ) chan, (void ) bio, bufLen); if (buf == NULL) { return 0; } ~~ret = Tcl_ReadRaw(chan, buf, ~~(Tcl_Size)~~ bufLen);~~ tclEofChan = Tcl_Eof(chan); tclErrno = Tcl_GetErrno(); ~~~~dprintf("[chan=%p] BioRead(%d) -> %" TCL_SIZE_MODIFIER "d [tclEof=%d; tclErrno=%d]",~~ (void ) chan, bufLen, ret, tclEofChan, tclErrno);~~ BIO_clear_flags(bio, BIO_FLAGS_READ \| BIO_FLAGS_SHOULD_RETRY); if (tclEofChan && ret <= 0) { dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF"); Tcl_SetErrno(ECONNRESET); ret = 0;	\| \| < \|	50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85	if (ret != -1 \|\| (ret == -1 && tclErrno == EAGAIN)) { if (BIO_should_read(bio)) { dprintf("Setting should retry read flag"); BIO_set_retry_read(bio); } } return(ret); } static int BioRead(BIO bio, char buf, int bufLen) { Tcl_Channel chan; Tcl_Size ret = 0; int tclEofChan, tclErrno; chan = Tls_GetParent((State ) BIO_get_data(bio), 0); dprintf("[chan=%p] BioRead(%p, <buf>, %d)", (void ) chan, (void ) bio, bufLen); if (buf == NULL) { return 0; } ret = Tcl_ReadRaw(chan, buf, bufLen); tclEofChan = Tcl_Eof(chan); tclErrno = Tcl_GetErrno(); dprintf("[chan=%p] BioRead(%d) -> %d [tclEof=%d; tclErrno=%d]", (void ) chan, bufLen, ret, tclEofChan, tclErrno); BIO_clear_flags(bio, BIO_FLAGS_READ \| BIO_FLAGS_SHOULD_RETRY); if (tclEofChan && ret <= 0) { dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF"); Tcl_SetErrno(ECONNRESET); ret = 0;
︙			︙
108 109 110 111 112 113 114 ~~115 116~~ 117 ~~118~~ 119 120 121 122 123 124 125	if (BIO_should_write(bio)) { dprintf("Setting should retry write flag"); BIO_set_retry_write(bio); } } ~~dprintf("BioRead(%p, <buf>, %d) [%p] returning %~~" TCL_SIZE_MODIFIER "d~~", (void ) bio, ~~bufLen, (void ) chan, ret);~~~~ ~~return(~~(int)~~ ret);~~ } static int BioPuts(BIO bio, const char str) { dprintf("BioPuts(%p, <string:%p>) called", bio, str); return BioWrite(bio, str, (int) strlen(str)); }	\| < \|	106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122	if (BIO_should_write(bio)) { dprintf("Setting should retry write flag"); BIO_set_retry_write(bio); } } dprintf("BioRead(%p, <buf>, %d) [%p] returning %i", (void ) bio, bufLen, (void ) chan, ret); return(ret); } static int BioPuts(BIO bio, const char str) { dprintf("BioPuts(%p, <string:%p>) called", bio, str); return BioWrite(bio, str, (int) strlen(str)); }
︙			︙

︙			︙
159 160 161 162 163 164 165 ~~166~~ 167 168 169 170 171 172 173	dprintf("Flushing the lower layers failed, this will probably terminate this session"); } } rc = SSL_get_error(statePtr->ssl, err); dprintf("Got error: %i (rc = %i)", err, rc); ~~dprintf("Got error: %s", E~~RR_reason_error_string(ERR_get_error()~~));~~ bioShouldRetry = 0; if (err <= 0) { if (rc == SSL_ERROR_WANT_CONNECT \|\| rc == SSL_ERROR_WANT_ACCEPT \|\| rc == SSL_ERROR_WANT_READ \|\| rc == SSL_ERROR_WANT_WRITE) { bioShouldRetry = 1; } else if (BIO_should_retry(statePtr->bio)) { bioShouldRetry = 1;	\|	159 160 161 162 163 164 165 166 167 168 169 170 171 172 173	dprintf("Flushing the lower layers failed, this will probably terminate this session"); } } rc = SSL_get_error(statePtr->ssl, err); dprintf("Got error: %i (rc = %i)", err, rc); dprintf("Got error: %s", REASON()); bioShouldRetry = 0; if (err <= 0) { if (rc == SSL_ERROR_WANT_CONNECT \|\| rc == SSL_ERROR_WANT_ACCEPT \|\| rc == SSL_ERROR_WANT_READ \|\| rc == SSL_ERROR_WANT_WRITE) { bioShouldRetry = 1; } else if (BIO_should_retry(statePtr->bio)) { bioShouldRetry = 1;
︙			︙
230 231 232 233 234 235 236 ~~237~~ 238 239 240 241 242 243 244	} statePtr->flags \|= TLS_TCL_HANDSHAKE_FAILED; return(-1); case SSL_ERROR_SSL: dprintf("Got permanent fatal SSL error, aborting immediately"); ~~Tls_Error(statePtr, (char )E~~RR_reason_error_string(ERR_get_error()~~));~~ statePtr->flags \|= TLS_TCL_HANDSHAKE_FAILED; errorCodePtr = ECONNABORTED; return(-1); case SSL_ERROR_WANT_CONNECT: case SSL_ERROR_WANT_ACCEPT: case SSL_ERROR_WANT_X509_LOOKUP:	\|	230 231 232 233 234 235 236 237 238 239 240 241 242 243 244	} statePtr->flags \|= TLS_TCL_HANDSHAKE_FAILED; return(-1); case SSL_ERROR_SSL: dprintf("Got permanent fatal SSL error, aborting immediately"); Tls_Error(statePtr, (char )REASON()); statePtr->flags \|= TLS_TCL_HANDSHAKE_FAILED; errorCodePtr = ECONNABORTED; return(-1); case SSL_ERROR_WANT_CONNECT: case SSL_ERROR_WANT_ACCEPT: case SSL_ERROR_WANT_X509_LOOKUP:
︙			︙

︙			︙
38 39 40 41 42 43 44 ~~45 46 47 48 49~~ 50 51 52 53 54 55 56	# endif #endif /* * Backwards compatibility for size type change */ #if TCL_MAJOR_VERSION < 9 && TCL_MINOR_VERSION < 7 ~~#ifn~~def Tcl_Size ~~typedef int Tcl_Size;~~ ~~#endif~~ ~~#define TCL_SIZE_MODIFIER ""~~ #endif #include <openssl/ssl.h> #include <openssl/err.h> #include <openssl/rand.h> #include <openssl/opensslv.h>	\| < < < <	38 39 40 41 42 43 44 45 46 47 48 49 50 51 52	# endif #endif /* * Backwards compatibility for size type change */ #if TCL_MAJOR_VERSION < 9 && TCL_MINOR_VERSION < 7 # define Tcl_Size int #endif #include <openssl/ssl.h> #include <openssl/err.h> #include <openssl/rand.h> #include <openssl/opensslv.h>
︙			︙
100 101 102 103 104 105 106 107 108 109 110 111 112 113	#else #define dprintf(...) if (0) { fprintf(stderr, __VA_ARGS__); } #define dprintBuffer(bufferName, bufferLength) // #define dprintFlags(statePtr) // #endif #define TCLTLS_SSL_ERROR(ssl,err) ((char)ERR_reason_error_string((unsigned long)SSL_get_error((ssl),(err)))) / Common list append macros */ #define LAPPEND_BARRAY(interp, obj, text, value, size) {\ if (text != NULL) Tcl_ListObjAppendElement(interp, obj, Tcl_NewStringObj(text, -1)); \ Tcl_ListObjAppendElement(interp, obj, Tcl_NewByteArrayObj(value, size)); \ } #define LAPPEND_STR(interp, obj, text, value, size) {\	>	96 97 98 99 100 101 102 103 104 105 106 107 108 109 110	#else #define dprintf(...) if (0) { fprintf(stderr, __VA_ARGS__); } #define dprintBuffer(bufferName, bufferLength) // #define dprintFlags(statePtr) // #endif #define TCLTLS_SSL_ERROR(ssl,err) ((char)ERR_reason_error_string((unsigned long)SSL_get_error((ssl),(err)))) #define REASON() ERR_reason_error_string(ERR_get_error()) / Common list append macros */ #define LAPPEND_BARRAY(interp, obj, text, value, size) {\ if (text != NULL) Tcl_ListObjAppendElement(interp, obj, Tcl_NewStringObj(text, -1)); \ Tcl_ListObjAppendElement(interp, obj, Tcl_NewByteArrayObj(value, size)); \ } #define LAPPEND_STR(interp, obj, text, value, size) {\
︙			︙
194 195 196 197 198 199 200 201 202 203 204 205 206	Tcl_Obj Tls_NewX509Obj(Tcl_Interp interp, X509 cert); Tcl_Obj Tls_NewCAObj(Tcl_Interp interp, const SSL ssl, int peer); void Tls_Error(State statePtr, char msg); void Tls_Free(char blockPtr); void Tls_Clean(State statePtr); int Tls_WaitForConnect(State statePtr, int errorCodePtr, int handshakeFailureIsPermanent); BIO BIO_new_tcl(State statePtr, int flags); #define PTR2INT(x) ((int) ((intptr_t) (x))) #endif /* _TLSINT_H */	> >	191 192 193 194 195 196 197 198 199 200 201 202 203 204 205	Tcl_Obj Tls_NewX509Obj(Tcl_Interp interp, X509 cert); Tcl_Obj Tls_NewCAObj(Tcl_Interp interp, const SSL ssl, int peer); void Tls_Error(State statePtr, char msg); void Tls_Free(char blockPtr); void Tls_Clean(State statePtr); int Tls_WaitForConnect(State statePtr, int errorCodePtr, int handshakeFailureIsPermanent); int Tls_DigestCommands(Tcl_Interp interp); int Tls_InfoCommands(Tcl_Interp interp); BIO BIO_new_tcl(State statePtr, int flags); #define PTR2INT(x) ((int) ((intptr_t) (x))) #endif /* _TLSINT_H */

︙			︙
22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55	* / #include "tlsInt.h" #include "tclOpts.h" #include <stdio.h> #include <stdlib.h> #include <openssl/rsa.h> #include <openssl/safestack.h> / Min OpenSSL version / #if OPENSSL_VERSION_NUMBER < 0x10101000L #error "Only OpenSSL v1.1.1 or later is supported" #endif / * External functions / / * Forward declarations / #define F2N(key, dsp) \ (((key) == NULL) ? (char ) NULL : \ Tcl_TranslateFileName(interp, (key), (dsp))) ~~#define REASON() ERR_reason_error_string(ERR_get_error())~~ static SSL_CTX CTX_Init(State statePtr, int isServer, int proto, char key, char certfile, unsigned char key_asn1, unsigned char cert_asn1, int key_asn1_len, int cert_asn1_len, char CAdir, char CAfile, char ciphers, char ciphersuites, int level, char *DHparams); static int TlsLibInit(int uninitialize);	> > > > <	22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58	* / #include "tlsInt.h" #include "tclOpts.h" #include <stdio.h> #include <stdlib.h> #include <openssl/crypto.h> #include <openssl/ssl.h> #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/rsa.h> #include <openssl/safestack.h> / Min OpenSSL version / #if OPENSSL_VERSION_NUMBER < 0x10101000L #error "Only OpenSSL v1.1.1 or later is supported" #endif / * External functions / / * Forward declarations / #define F2N(key, dsp) \ (((key) == NULL) ? (char ) NULL : \ Tcl_TranslateFileName(interp, (key), (dsp))) static SSL_CTX CTX_Init(State statePtr, int isServer, int proto, char key, char certfile, unsigned char key_asn1, unsigned char cert_asn1, int key_asn1_len, int cert_asn1_len, char CAdir, char CAfile, char ciphers, char ciphersuites, int level, char *DHparams); static int TlsLibInit(int uninitialize);
︙			︙
442 443 444 445 446 447 448 ~~449~~ 450 451 452 453 454 455 456	cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("error", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); if (msg != NULL) { Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1)); ~~} else if ((msg = Tcl_GetStringFromObj(Tcl_GetObjResult(interp), ~~(Tcl_Size *)~~NULL)) != NULL) {~~ Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1)); } else { listPtr = Tcl_NewListObj(0, NULL); while ((err = ERR_get_error()) != 0) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(ERR_reason_error_string(err), -1)); }	\|	445 446 447 448 449 450 451 452 453 454 455 456 457 458 459	cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("error", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); if (msg != NULL) { Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1)); } else if ((msg = Tcl_GetStringFromObj(Tcl_GetObjResult(interp), NULL)) != NULL) { Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1)); } else { listPtr = Tcl_NewListObj(0, NULL); while ((err = ERR_get_error()) != 0) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(ERR_reason_error_string(err), -1)); }
︙			︙
549 550 551 552 553 554 555 ~~556~~ 557 ~~558 559~~ 560 561 562 563 ~~564~~ 565 566 567 568 569 570 571	} Tcl_DecrRefCount(cmdPtr); Tcl_Release((ClientData) statePtr); /* If successful, pass back password string and truncate if too long / if (code == TCL_OK) { ~~~~Tcl_Size~~ len;~~ char ret = (char ) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); ~~if (len > ~~(Tcl_Size)~~ size-1) { len = ~~(Tcl_Size)~~ size-1;~~ } strncpy(buf, ret, (size_t) len); buf[len] = '\0'; Tcl_Release((ClientData) interp); ~~return(~~(int)~~ len);~~ } Tcl_Release((ClientData) interp); return -1; } / *-------------------------------------------------------------------	\| \| \| \|	552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574	} Tcl_DecrRefCount(cmdPtr); Tcl_Release((ClientData) statePtr); /* If successful, pass back password string and truncate if too long / if (code == TCL_OK) { int len; char ret = (char ) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); if (len > size-1) { len = size-1; } strncpy(buf, ret, (size_t) len); buf[len] = '\0'; Tcl_Release((ClientData) interp); return(len); } Tcl_Release((ClientData) interp); return -1; } / *-------------------------------------------------------------------
︙			︙
611 612 613 614 615 616 617 ~~618~~ 619 620 621 ~~622~~ 623 624 625 626 627 628 629	cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("session", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); /* Session id / session_id = SSL_SESSION_get_id(session, &ulen); ~~Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewByteArrayObj(session_id, (~~Tcl_Size~~) ulen));~~ / Session ticket / SSL_SESSION_get0_ticket(session, &ticket, &len2); ~~Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewByteArrayObj(ticket, (~~Tcl_Size~~) len2));~~ / Lifetime - number of seconds / Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewLongObj((long) SSL_SESSION_get_ticket_lifetime_hint(session))); / Eval callback command */ Tcl_IncrRefCount(cmdPtr);	\| \|	614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632	cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("session", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); /* Session id / session_id = SSL_SESSION_get_id(session, &ulen); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewByteArrayObj(session_id, (int) ulen)); / Session ticket / SSL_SESSION_get0_ticket(session, &ticket, &len2); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewByteArrayObj(ticket, (int) len2)); / Lifetime - number of seconds / Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewLongObj((long) SSL_SESSION_get_ticket_lifetime_hint(session))); / Eval callback command */ Tcl_IncrRefCount(cmdPtr);
︙			︙
900 901 902 903 904 905 906 ~~907~~ 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150	servername = (const char )p; / Create command to eval / cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("hello", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); ~~Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername, (~~Tcl_Size~~) len));~~ / Eval callback command / Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) { res = SSL_CLIENT_HELLO_RETRY; alert = SSL_R_TLSV1_ALERT_USER_CANCELLED; } else if (code == 1) { res = SSL_CLIENT_HELLO_SUCCESS; } else { res = SSL_CLIENT_HELLO_ERROR; alert = SSL_R_TLSV1_ALERT_INTERNAL_ERROR; } Tcl_DecrRefCount(cmdPtr); return res; } /******************/ / Commands / /******************/ / ------------------------------------------------------------------- * CiphersObjCmd -- list available ciphers * * This procedure is invoked to process the "tls::ciphers" command * to list available ciphers, based upon protocol selected. * * Results: * A standard Tcl result list. * * Side effects: * constructs and destroys SSL context (CTX) * ------------------------------------------------------------------- / ~~static const char protocols[] = {~~ ~~"ssl2", "ssl3", "tls1", "tls1.1", "tls1.2", "tls1.3", NULL~~ }; ~~enum protocol {~~ ~~TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_TLS1_3, TLS_NONE~~ }; ~~static int~~ ~~CiphersObjCmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) {~~ ~~Tcl_Obj objPtr = NULL;~~ ~~SSL_CTX ctx = NULL;~~ ~~SSL ssl = NULL;~~ ~~STACK_OF(SSL_CIPHER) sk;~~ ~~char cp, buf[BUFSIZ];~~ ~~int index, verbose = 0, use_supported = 0;~~ ~~const SSL_METHOD method;~~ ~~dprintf("Called");~~ ~~if ((objc < 2) \|\| (objc > 4)) {~~ ~~Tcl_WrongNumArgs(interp, 1, objv, "protocol ?verbose? ?supported?");~~ ~~return TCL_ERROR;~~ } ~~if (Tcl_GetIndexFromObj(interp, objv[1], protocols, "protocol", 0, &index) != TCL_OK) {~~ ~~return TCL_ERROR;~~ } ~~if ((objc > 2) && Tcl_GetBooleanFromObj(interp, objv[2], &verbose) != TCL_OK) {~~ ~~return TCL_ERROR;~~ } ~~if ((objc > 3) && Tcl_GetBooleanFromObj(interp, objv[3], &use_supported) != TCL_OK) {~~ ~~return TCL_ERROR;~~ } ~~ERR_clear_error();~~ ~~switch ((enum protocol)index) {~~ ~~case TLS_SSL2:~~ ~~#if OPENSSL_VERSION_NUMBER >= 0x10100000L \|\| defined(NO_SSL2) \|\| defined(OPENSSL_NO_SSL2)~~ ~~Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL);~~ ~~return TCL_ERROR;~~ ~~#else~~ ~~method = SSLv2_method(); break;~~ ~~#endif~~ ~~case TLS_SSL3:~~ ~~#if defined(NO_SSL3) \|\| defined(OPENSSL_NO_SSL3) \|\| defined(OPENSSL_NO_SSL3_METHOD)~~ ~~Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL);~~ ~~return TCL_ERROR;~~ ~~#else~~ ~~method = SSLv3_method(); break;~~ ~~#endif~~ ~~case TLS_TLS1:~~ ~~#if defined(NO_TLS1) \|\| defined(OPENSSL_NO_TLS1) \|\| defined(OPENSSL_NO_TLS1_METHOD)~~ ~~Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL);~~ ~~return TCL_ERROR;~~ ~~#else~~ ~~method = TLSv1_method(); break;~~ ~~#endif~~ ~~case TLS_TLS1_1:~~ ~~#if defined(NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1_METHOD)~~ ~~Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL);~~ ~~return TCL_ERROR;~~ ~~#else~~ ~~method = TLSv1_1_method(); break;~~ ~~#endif~~ ~~case TLS_TLS1_2:~~ ~~#if defined(NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2_METHOD)~~ ~~Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL);~~ ~~return TCL_ERROR;~~ ~~#else~~ ~~method = TLSv1_2_method(); break;~~ ~~#endif~~ ~~case TLS_TLS1_3:~~ ~~#if defined(NO_TLS1_3) \|\| defined(OPENSSL_NO_TLS1_3)~~ ~~Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL);~~ ~~return TCL_ERROR;~~ ~~#else~~ ~~method = TLS_method();~~ ~~SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);~~ ~~SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);~~ ~~break;~~ ~~#endif~~ ~~default:~~ ~~method = TLS_method();~~ ~~break;~~ } ~~ctx = SSL_CTX_new(method);~~ ~~if (ctx == NULL) {~~ ~~Tcl_AppendResult(interp, REASON(), NULL);~~ ~~return TCL_ERROR;~~ } ~~ssl = SSL_new(ctx);~~ ~~if (ssl == NULL) {~~ ~~Tcl_AppendResult(interp, REASON(), NULL);~~ ~~SSL_CTX_free(ctx);~~ ~~return TCL_ERROR;~~ } ~~/ Use list and order as would be sent in a ClientHello or all available ciphers /~~ ~~if (use_supported) {~~ ~~sk = SSL_get1_supported_ciphers(ssl);~~ ~~} else {~~ ~~sk = SSL_get_ciphers(ssl);~~ } ~~if (sk != NULL) {~~ ~~if (!verbose) {~~ ~~objPtr = Tcl_NewListObj(0, NULL);~~ ~~for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++) {~~ ~~const SSL_CIPHER c = sk_SSL_CIPHER_value(sk, i);~~ ~~if (c == NULL) continue;~~ ~~/* cipher name or (NONE) /~~ ~~cp = SSL_CIPHER_get_name(c);~~ ~~if (cp == NULL) break;~~ ~~Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(cp, -1));~~ } ~~} else {~~ ~~objPtr = Tcl_NewStringObj("",0);~~ ~~for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++) {~~ ~~const SSL_CIPHER c = sk_SSL_CIPHER_value(sk, i);~~ ~~if (c == NULL) continue;~~ ~~/* textual description of the cipher /~~ ~~if (SSL_CIPHER_description(c, buf, sizeof(buf)) != NULL) {~~ ~~Tcl_AppendToObj(objPtr, buf, (Tcl_Size) strlen(buf));~~ ~~} else {~~ ~~Tcl_AppendToObj(objPtr, "UNKNOWN\n", 8);~~ } } } ~~if (use_supported) {~~ ~~sk_SSL_CIPHER_free(sk);~~ } } ~~SSL_free(ssl);~~ ~~SSL_CTX_free(ctx);~~ ~~Tcl_SetObjResult(interp, objPtr);~~ ~~return TCL_OK;~~ ~~clientData = clientData;~~ } / ------------------------------------------------------------------- * ProtocolsObjCmd -- list available protocols * * This procedure is invoked to process the "tls::protocols" command * to list available protocols. * * Results: * A standard Tcl result list. * * Side effects: * none * ------------------------------------------------------------------- / ~~static int~~ ~~ProtocolsObjCmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) {~~ ~~Tcl_Obj objPtr;~~ ~~dprintf("Called");~~ ~~if (objc != 1) {~~ ~~Tcl_WrongNumArgs(interp, 1, objv, "");~~ ~~return TCL_ERROR;~~ } ~~ERR_clear_error();~~ ~~objPtr = Tcl_NewListObj(0, NULL);~~ ~~#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(NO_SSL2) && !defined(OPENSSL_NO_SSL2)~~ ~~Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_SSL2], -1));~~ ~~#endif~~ ~~#if !defined(NO_SSL3) && !defined(OPENSSL_NO_SSL3) && !defined(OPENSSL_NO_SSL3_METHOD)~~ ~~Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_SSL3], -1));~~ ~~#endif~~ ~~#if !defined(NO_TLS1) && !defined(OPENSSL_NO_TLS1) && !defined(OPENSSL_NO_TLS1_METHOD)~~ ~~Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_TLS1], -1));~~ ~~#endif~~ ~~#if !defined(NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1_METHOD)~~ ~~Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_TLS1_1], -1));~~ ~~#endif~~ ~~#if !defined(NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2_METHOD)~~ ~~Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_TLS1_2], -1));~~ ~~#endif~~ ~~#if !defined(NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_3)~~ ~~Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_TLS1_3], -1));~~ ~~#endif~~ ~~Tcl_SetObjResult(interp, objPtr);~~ ~~return TCL_OK;~~ ~~clientData = clientData;~~ } / ------------------------------------------------------------------- * HandshakeObjCmd -- * * This command is used to verify whether the handshake is complete * or not.	\| < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < <	903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937	servername = (const char )p; / Create command to eval / cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("hello", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername, (int) len)); / Eval callback command / Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) { res = SSL_CLIENT_HELLO_RETRY; alert = SSL_R_TLSV1_ALERT_USER_CANCELLED; } else if (code == 1) { res = SSL_CLIENT_HELLO_SUCCESS; } else { res = SSL_CLIENT_HELLO_ERROR; alert = SSL_R_TLSV1_ALERT_INTERNAL_ERROR; } Tcl_DecrRefCount(cmdPtr); return res; } /******************/ / Commands / /******************/ / ------------------------------------------------------------------- * HandshakeObjCmd -- * * This command is used to verify whether the handshake is complete * or not.
︙			︙
1169 1170 1171 1172 1173 1174 1175 ~~1176~~ 1177 1178 1179 1180 1181 1182 1183	if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); return(TCL_ERROR); } ERR_clear_error(); ~~chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], ~~(Tcl_Size )~~NULL), NULL);~~ if (chan == (Tcl_Channel) NULL) { return(TCL_ERROR); } / Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {	\|	956 957 958 959 960 961 962 963 964 965 966 967 968 969 970	if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); return(TCL_ERROR); } ERR_clear_error(); chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], NULL), NULL); if (chan == (Tcl_Channel) NULL) { return(TCL_ERROR); } /* Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
︙			︙
1247 1248 1249 1250 1251 1252 1253 ~~1254 1255~~ 1256 1257 1258 1259 1260 ~~1261~~ 1262 ~~1263~~ 1264 1265 1266 1267 1268 1269 1270	Tcl_Channel chan; /* The channel to set a mode on. / State statePtr; /* client state for ssl socket / SSL_CTX ctx = NULL; Tcl_Obj script = NULL; Tcl_Obj password = NULL; Tcl_Obj vcmd = NULL; Tcl_DString upperChannelTranslation, upperChannelBlocking, upperChannelEncoding, upperChannelEOFChar; ~~int idx; ~~Tcl_Size len;~~~~ int flags = TLS_TCL_INIT; int server = 0; / is connection incoming or outgoing? / char keyfile = NULL; char certfile = NULL; unsigned char key = NULL; ~~~~Tcl_Size~~ key_len = 0;~~ unsigned char cert = NULL; ~~~~Tcl_Size~~ cert_len = 0;~~ char ciphers = NULL; char ciphersuites = NULL; char CAfile = NULL; char CAdir = NULL; char DHparams = NULL; char model = NULL; char servername = NULL; /* hostname for Server Name Indication */	\| < \| \|	1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056	Tcl_Channel chan; /* The channel to set a mode on. / State statePtr; /* client state for ssl socket / SSL_CTX ctx = NULL; Tcl_Obj script = NULL; Tcl_Obj password = NULL; Tcl_Obj vcmd = NULL; Tcl_DString upperChannelTranslation, upperChannelBlocking, upperChannelEncoding, upperChannelEOFChar; int idx, len; int flags = TLS_TCL_INIT; int server = 0; / is connection incoming or outgoing? / char keyfile = NULL; char certfile = NULL; unsigned char key = NULL; int key_len = 0; unsigned char cert = NULL; int cert_len = 0; char ciphers = NULL; char ciphersuites = NULL; char CAfile = NULL; char CAdir = NULL; char DHparams = NULL; char model = NULL; char servername = NULL; /* hostname for Server Name Indication */
︙			︙
1293 1294 1295 1296 1297 1298 1299 ~~1300~~ 1301 1302 1303 1304 1305 1306 1307 1308 ~~1309~~ 1310 1311 1312 1313 1314 1315 1316	if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?"); return TCL_ERROR; } ERR_clear_error(); ~~chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], ~~(Tcl_Size )~~NULL), NULL);~~ if (chan == (Tcl_Channel) NULL) { return TCL_ERROR; } / Make sure to operate on the topmost channel / chan = Tcl_GetTopChannel(chan); for (idx = 2; idx < objc; idx++) { ~~char opt = Tcl_GetStringFromObj(objv[idx], ~~(Tcl_Size *)~~NULL);~~ if (opt[0] != '-') break; OPTOBJ("-alpn", alpn); OPTSTR("-cadir", CAdir); OPTSTR("-cafile", CAfile);	\| \|	1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102	if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?"); return TCL_ERROR; } ERR_clear_error(); chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], NULL), NULL); if (chan == (Tcl_Channel) NULL) { return TCL_ERROR; } /* Make sure to operate on the topmost channel / chan = Tcl_GetTopChannel(chan); for (idx = 2; idx < objc; idx++) { char opt = Tcl_GetStringFromObj(objv[idx], NULL); if (opt[0] != '-') break; OPTOBJ("-alpn", alpn); OPTSTR("-cadir", CAdir); OPTSTR("-cafile", CAfile);
︙			︙
1422 1423 1424 1425 1426 1427 1428 ~~1429 1430~~ 1431 1432 1433 1434 1435 1436 1437	"\": not a TLS channel", NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "CHANNEL", "INVALID", (char ) NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } ctx = ((State )Tcl_GetChannelInstanceData(chan))->ctx; } else { ~~if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, cert, ~~(int)~~ key_len, ~~(int)~~ cert_len, CAdir, CAfile, ciphers, ciphersuites, level, DHparams)) == NULL) {~~ Tls_Free((char ) statePtr); return TCL_ERROR; } } statePtr->ctx = ctx;	\| \|	1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223	"\": not a TLS channel", NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "CHANNEL", "INVALID", (char ) NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } ctx = ((State )Tcl_GetChannelInstanceData(chan))->ctx; } else { if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, cert, key_len, cert_len, CAdir, CAfile, ciphers, ciphersuites, level, DHparams)) == NULL) { Tls_Free((char ) statePtr); return TCL_ERROR; } } statePtr->ctx = ctx;
︙			︙
1513 1514 1515 1516 1517 1518 1519 ~~1520 1521~~ 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 ~~1538~~ 1539 1540 1541 1542 1543 ~~1544 1545 1546 1547~~ 1548 1549 1550 1551 1552 1553 1554	/* Enable Application-Layer Protocol Negotiation. Examples are: http/1.0, http/1.1, h2, h3, ftp, imap, pop3, xmpp-client, xmpp-server, mqtt, irc, etc. / if (alpn) { / Convert a TCL list into a protocol-list in wire-format / unsigned char protos, p; unsigned int protos_len = 0; ~~~~Tcl_Size cnt, i;~~ int j;~~ Tcl_Obj list; if (Tcl_ListObjGetElements(interp, alpn, &cnt, &list) != TCL_OK) { Tls_Free((char ) statePtr); return TCL_ERROR; } /* Determine the memory required for the protocol-list / for (i = 0; i < cnt; i++) { Tcl_GetStringFromObj(list[i], &len); if (len > 255) { Tcl_AppendResult(interp, "ALPN protocol name too long", (char ) NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char ) NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } ~~protos_len += 1 + ~~(int)~~ len;~~ } /* Build the complete protocol-list / protos = ckalloc(protos_len); / protocol-lists consist of 8-bit length-prefixed, byte strings / ~~for (j = 0, p = protos; j < cnt; j++) { char str = Tcl_GetStringFromObj(list[j], &len); p++ = ~~(unsigned char)~~ len; memcpy(p, str, ~~(size_t)~~ len);~~ p += len; } / SSL_set_alpn_protos makes a copy of the protocol-list / / Note: This functions reverses the return value convention / if (SSL_set_alpn_protos(statePtr->ssl, protos, protos_len)) { Tcl_AppendResult(interp, "failed to set ALPN protocols", (char ) NULL);	< \| \| \| \| \| \|	1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339	/* Enable Application-Layer Protocol Negotiation. Examples are: http/1.0, http/1.1, h2, h3, ftp, imap, pop3, xmpp-client, xmpp-server, mqtt, irc, etc. / if (alpn) { / Convert a TCL list into a protocol-list in wire-format / unsigned char protos, p; unsigned int protos_len = 0; int i, len, cnt; Tcl_Obj list; if (Tcl_ListObjGetElements(interp, alpn, &cnt, &list) != TCL_OK) { Tls_Free((char ) statePtr); return TCL_ERROR; } /* Determine the memory required for the protocol-list / for (i = 0; i < cnt; i++) { Tcl_GetStringFromObj(list[i], &len); if (len > 255) { Tcl_AppendResult(interp, "ALPN protocol name too long", (char ) NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char ) NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } protos_len += 1 + len; } /* Build the complete protocol-list / protos = ckalloc(protos_len); / protocol-lists consist of 8-bit length-prefixed, byte strings / for (i = 0, p = protos; i < cnt; i++) { char str = Tcl_GetStringFromObj(list[i], &len); p++ = len; memcpy(p, str, len); p += len; } / SSL_set_alpn_protos makes a copy of the protocol-list / / Note: This functions reverses the return value convention / if (SSL_set_alpn_protos(statePtr->ssl, protos, protos_len)) { Tcl_AppendResult(interp, "failed to set ALPN protocols", (char ) NULL);
︙			︙
1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579	statePtr->protos_len = 0; } /* * SSL Callbacks / SSL_set_app_data(statePtr->ssl, (void )statePtr); /* point back to us / SSL_set_verify(statePtr->ssl, verify, VerifyCallback); SSL_set_info_callback(statePtr->ssl, InfoCallback); / Callback for observing protocol messages / #ifndef OPENSSL_NO_SSL_TRACE / void SSL_CTX_set_msg_callback_arg(statePtr->ctx, (void )statePtr); void SSL_CTX_set_msg_callback(statePtr->ctx, MessageCallback); /	>	1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365	statePtr->protos_len = 0; } /* * SSL Callbacks / SSL_set_app_data(statePtr->ssl, (void )statePtr); /* point back to us / SSL_set_verify(statePtr->ssl, verify, VerifyCallback); SSL_set_info_callback(statePtr->ssl, InfoCallback); / Callback for observing protocol messages / #ifndef OPENSSL_NO_SSL_TRACE / void SSL_CTX_set_msg_callback_arg(statePtr->ctx, (void )statePtr); void SSL_CTX_set_msg_callback(statePtr->ctx, MessageCallback); /
︙			︙
1718 1719 1720 1721 1722 1723 1724 ~~1725~~ 1726 1727 1728 1729 1730 1731 ~~1732~~ 1733 1734 1735 1736 1737 ~~1738~~ 1739 1740 1741 1742 1743 ~~1744~~ 1745 1746 1747 1748 1749 ~~1750~~ 1751 1752 1753 1754 1755 ~~1756~~ 1757 1758 1759 1760 1761 ~~1762~~ 1763 1764 1765 1766 1767 1768 1769	int off = 0; int load_private_key; const SSL_METHOD method; dprintf("Called"); if (!proto) { ~~Tcl_AppendResult(interp, "no valid protocol selected", ~~(char )~~ NULL);~~ return NULL; } /* create SSL context / #if OPENSSL_VERSION_NUMBER >= 0x10100000L \|\| defined(NO_SSL2) \|\| defined(OPENSSL_NO_SSL2) if (ENABLED(proto, TLS_PROTO_SSL2)) { ~~Tcl_AppendResult(interp, "SSL2 protocol not supported", ~~(char )~~ NULL);~~ return NULL; } #endif #if defined(NO_SSL3) \|\| defined(OPENSSL_NO_SSL3) if (ENABLED(proto, TLS_PROTO_SSL3)) { ~~Tcl_AppendResult(interp, "SSL3 protocol not supported", ~~(char )~~ NULL);~~ return NULL; } #endif #if defined(NO_TLS1) \|\| defined(OPENSSL_NO_TLS1) if (ENABLED(proto, TLS_PROTO_TLS1)) { ~~Tcl_AppendResult(interp, "TLS 1.0 protocol not supported", ~~(char )~~ NULL);~~ return NULL; } #endif #if defined(NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1) if (ENABLED(proto, TLS_PROTO_TLS1_1)) { ~~Tcl_AppendResult(interp, "TLS 1.1 protocol not supported", ~~(char )~~ NULL);~~ return NULL; } #endif #if defined(NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2) if (ENABLED(proto, TLS_PROTO_TLS1_2)) { ~~Tcl_AppendResult(interp, "TLS 1.2 protocol not supported", ~~(char )~~ NULL);~~ return NULL; } #endif #if defined(NO_TLS1_3) \|\| defined(OPENSSL_NO_TLS1_3) if (ENABLED(proto, TLS_PROTO_TLS1_3)) { ~~Tcl_AppendResult(interp, "TLS 1.3 protocol not supported", ~~(char )~~ NULL);~~ return NULL; } #endif if (proto == 0) { / Use full range */ SSL_CTX_set_min_proto_version(ctx, 0); SSL_CTX_set_max_proto_version(ctx, 0);	\| \| \| \| \| \| \|	1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555	int off = 0; int load_private_key; const SSL_METHOD method; dprintf("Called"); if (!proto) { Tcl_AppendResult(interp, "no valid protocol selected", NULL); return NULL; } / create SSL context / #if OPENSSL_VERSION_NUMBER >= 0x10100000L \|\| defined(NO_SSL2) \|\| defined(OPENSSL_NO_SSL2) if (ENABLED(proto, TLS_PROTO_SSL2)) { Tcl_AppendResult(interp, "SSL2 protocol not supported", NULL); return NULL; } #endif #if defined(NO_SSL3) \|\| defined(OPENSSL_NO_SSL3) if (ENABLED(proto, TLS_PROTO_SSL3)) { Tcl_AppendResult(interp, "SSL3 protocol not supported", NULL); return NULL; } #endif #if defined(NO_TLS1) \|\| defined(OPENSSL_NO_TLS1) if (ENABLED(proto, TLS_PROTO_TLS1)) { Tcl_AppendResult(interp, "TLS 1.0 protocol not supported", NULL); return NULL; } #endif #if defined(NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1) if (ENABLED(proto, TLS_PROTO_TLS1_1)) { Tcl_AppendResult(interp, "TLS 1.1 protocol not supported", NULL); return NULL; } #endif #if defined(NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2) if (ENABLED(proto, TLS_PROTO_TLS1_2)) { Tcl_AppendResult(interp, "TLS 1.2 protocol not supported", NULL); return NULL; } #endif #if defined(NO_TLS1_3) \|\| defined(OPENSSL_NO_TLS1_3) if (ENABLED(proto, TLS_PROTO_TLS1_3)) { Tcl_AppendResult(interp, "TLS 1.3 protocol not supported", NULL); return NULL; } #endif if (proto == 0) { / Use full range */ SSL_CTX_set_min_proto_version(ctx, 0); SSL_CTX_set_max_proto_version(ctx, 0);
︙			︙
1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856	} #endif /* Force cipher selection order by server / if (!isServer) { SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); } SSL_CTX_set_app_data(ctx, (void)interp); /* remember the interpreter / SSL_CTX_set_options(ctx, SSL_OP_ALL); / all SSL bug workarounds / SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); / disable compression even if supported / SSL_CTX_set_options(ctx, off); / disable protocol versions / #if OPENSSL_VERSION_NUMBER < 0x10101000L SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); / handle new handshakes in background. On by default in OpenSSL 1.1.1. */	> > > >	1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646	} #endif /* Force cipher selection order by server / if (!isServer) { SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); } #if OPENSSL_VERSION_NUMBER < 0x10100000L OpenSSL_add_all_algorithms(); / Load ciphers and digests / #endif SSL_CTX_set_app_data(ctx, (void)interp); /* remember the interpreter / SSL_CTX_set_options(ctx, SSL_OP_ALL); / all SSL bug workarounds / SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); / disable compression even if supported / SSL_CTX_set_options(ctx, off); / disable protocol versions / #if OPENSSL_VERSION_NUMBER < 0x10101000L SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); / handle new handshakes in background. On by default in OpenSSL 1.1.1. */
︙			︙
2060 2061 2062 2063 2064 2065 2066 ~~2067~~ 2068 2069 2070 2071 2072 2073 2074	if (objc < 2 \|\| objc > 3 \|\| (objc == 3 && !strcmp(Tcl_GetString(objv[1]), "-local"))) { Tcl_WrongNumArgs(interp, 1, objv, "?-local? channel"); return TCL_ERROR; } /* Get channel Id / ~~channelName = Tcl_GetStringFromObj(objv[(objc == 2 ? 1 : 2)], ~~(Tcl_Size )~~ NULL);~~ chan = Tcl_GetChannel(interp, channelName, &mode); if (chan == (Tcl_Channel) NULL) { return TCL_ERROR; } /* Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan);	\|	1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864	if (objc < 2 \|\| objc > 3 \|\| (objc == 3 && !strcmp(Tcl_GetString(objv[1]), "-local"))) { Tcl_WrongNumArgs(interp, 1, objv, "?-local? channel"); return TCL_ERROR; } /* Get channel Id / channelName = Tcl_GetStringFromObj(objv[(objc == 2 ? 1 : 2)], NULL); chan = Tcl_GetChannel(interp, channelName, &mode); if (chan == (Tcl_Channel) NULL) { return TCL_ERROR; } / Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan);
︙			︙
2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095	/* Get certificate for peer or self / if (objc == 2) { peer = SSL_get_peer_certificate(statePtr->ssl); } else { peer = SSL_get_certificate(statePtr->ssl); } / Get X509 certificate info */ if (peer) { objPtr = Tls_NewX509Obj(interp, peer); if (objc == 2) { X509_free(peer); peer = NULL; }	>	1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886	/* Get certificate for peer or self / if (objc == 2) { peer = SSL_get_peer_certificate(statePtr->ssl); } else { peer = SSL_get_certificate(statePtr->ssl); } / Get X509 certificate info */ if (peer) { objPtr = Tls_NewX509Obj(interp, peer); if (objc == 2) { X509_free(peer); peer = NULL; }
︙			︙
2130 2131 2132 2133 2134 2135 2136 ~~2137~~ 2138 2139 2140 2141 2142 2143 2144	} /* Verify mode depth / LAPPEND_INT(interp, objPtr, "verifyDepth", SSL_get_verify_depth(statePtr->ssl)); / Report the selected protocol as a result of the negotiation / SSL_get0_alpn_selected(statePtr->ssl, &proto, &len); ~~LAPPEND_STR(interp, objPtr, "alpn", (char )proto, (~~Tcl_Size~~) len);~~ LAPPEND_STR(interp, objPtr, "protocol", SSL_get_version(statePtr->ssl), -1); /* Valid for non-RSA signature and TLS 1.3 */ if (objc == 2) { res = SSL_get_peer_signature_nid(statePtr->ssl, &nid); } else { res = SSL_get_signature_nid(statePtr->ssl, &nid);	\|	1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935	} /* Verify mode depth / LAPPEND_INT(interp, objPtr, "verifyDepth", SSL_get_verify_depth(statePtr->ssl)); / Report the selected protocol as a result of the negotiation / SSL_get0_alpn_selected(statePtr->ssl, &proto, &len); LAPPEND_STR(interp, objPtr, "alpn", (char )proto, (int) len); LAPPEND_STR(interp, objPtr, "protocol", SSL_get_version(statePtr->ssl), -1); /* Valid for non-RSA signature and TLS 1.3 */ if (objc == 2) { res = SSL_get_peer_signature_nid(statePtr->ssl, &nid); } else { res = SSL_get_signature_nid(statePtr->ssl, &nid);
︙			︙
2180 2181 2182 2183 2184 2185 2186 ~~2187~~ 2188 2189 2190 2191 2192 2193 2194	const EVP_MD md; if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); return(TCL_ERROR); } ~~chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], ~~(Tcl_Size )~~NULL), NULL);~~ if (chan == (Tcl_Channel) NULL) { return(TCL_ERROR); } /* Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {	\|	1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985	const EVP_MD md; if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); return(TCL_ERROR); } chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], NULL), NULL); if (chan == (Tcl_Channel) NULL) { return(TCL_ERROR); } / Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
︙			︙
2287 2288 2289 2290 2291 2292 2293 ~~2294~~ 2295 2296 2297 2298 ~~2299~~ 2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310 2311 2312 ~~2313~~ 2314 2315 2316 ~~2317~~ 2318 2319 2320 ~~2321~~ 2322 2323 2324 2325 2326 2327 ~~2328~~ 2329 2330 2331 ~~2332~~ 2333 2334 2335 2336 2337 2338 2339	size_t len2; unsigned int ulen; const unsigned char session_id, proto; char buffer[SSL_MAX_MASTER_KEY_LENGTH]; /* Report the selected protocol as a result of the ALPN negotiation / SSL_SESSION_get0_alpn_selected(session, &proto, &len2); ~~LAPPEND_STR(interp, objPtr, "alpn", (char ) proto, (~~Tcl_Size~~) len2);~~ /* Report the selected protocol as a result of the NPN negotiation / #ifdef USE_NPN SSL_get0_next_proto_negotiated(ssl, &proto, &ulen); ~~LAPPEND_STR(interp, objPtr, "npn", (char ) proto, (~~Tcl_Size~~) ulen);~~ #endif /* Resumable session / LAPPEND_BOOL(interp, objPtr, "resumable", SSL_SESSION_is_resumable(session)); / Session start time (seconds since epoch) / LAPPEND_LONG(interp, objPtr, "start_time", SSL_SESSION_get_time(session)); / Timeout value - SSL_CTX_get_timeout (in seconds) / LAPPEND_LONG(interp, objPtr, "timeout", SSL_SESSION_get_timeout(session)); / Session id - TLSv1.2 and below only / session_id = SSL_SESSION_get_id(session, &ulen); ~~LAPPEND_BARRAY(interp, objPtr, "session_id", session_id, (~~Tcl_Size~~) ulen);~~ / Session context / session_id = SSL_SESSION_get0_id_context(session, &ulen); ~~LAPPEND_BARRAY(interp, objPtr, "session_context", session_id, (~~Tcl_Size~~) ulen);~~ / Session ticket - client only / SSL_SESSION_get0_ticket(session, &ticket, &len2); ~~LAPPEND_BARRAY(interp, objPtr, "session_ticket", ticket, (~~Tcl_Size~~) len2);~~ / Session ticket lifetime hint (in seconds) / LAPPEND_LONG(interp, objPtr, "lifetime", SSL_SESSION_get_ticket_lifetime_hint(session)); / Ticket app data / SSL_SESSION_get0_ticket_appdata(session, &ticket, &len2); ~~LAPPEND_BARRAY(interp, objPtr, "ticket_app_data", ticket, (~~Tcl_Size~~) len2);~~ / Get master key / len2 = SSL_SESSION_get_master_key(session, buffer, SSL_MAX_MASTER_KEY_LENGTH); ~~LAPPEND_BARRAY(interp, objPtr, "master_key", buffer, (~~Tcl_Size~~) len2);~~ / Compression id / unsigned int id = SSL_SESSION_get_compress_id(session); LAPPEND_STR(interp, objPtr, "compression_id", id == 1 ? "zlib" : "none", -1); } / Compression info */	\| \| \| \| \| \| \|	2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128 2129 2130	size_t len2; unsigned int ulen; const unsigned char session_id, proto; char buffer[SSL_MAX_MASTER_KEY_LENGTH]; /* Report the selected protocol as a result of the ALPN negotiation / SSL_SESSION_get0_alpn_selected(session, &proto, &len2); LAPPEND_STR(interp, objPtr, "alpn", (char ) proto, (int) len2); /* Report the selected protocol as a result of the NPN negotiation / #ifdef USE_NPN SSL_get0_next_proto_negotiated(ssl, &proto, &ulen); LAPPEND_STR(interp, objPtr, "npn", (char ) proto, (int) ulen); #endif /* Resumable session / LAPPEND_BOOL(interp, objPtr, "resumable", SSL_SESSION_is_resumable(session)); / Session start time (seconds since epoch) / LAPPEND_LONG(interp, objPtr, "start_time", SSL_SESSION_get_time(session)); / Timeout value - SSL_CTX_get_timeout (in seconds) / LAPPEND_LONG(interp, objPtr, "timeout", SSL_SESSION_get_timeout(session)); / Session id - TLSv1.2 and below only / session_id = SSL_SESSION_get_id(session, &ulen); LAPPEND_BARRAY(interp, objPtr, "session_id", session_id, (int) ulen); / Session context / session_id = SSL_SESSION_get0_id_context(session, &ulen); LAPPEND_BARRAY(interp, objPtr, "session_context", session_id, (int) ulen); / Session ticket - client only / SSL_SESSION_get0_ticket(session, &ticket, &len2); LAPPEND_BARRAY(interp, objPtr, "session_ticket", ticket, (int) len2); / Session ticket lifetime hint (in seconds) / LAPPEND_LONG(interp, objPtr, "lifetime", SSL_SESSION_get_ticket_lifetime_hint(session)); / Ticket app data / SSL_SESSION_get0_ticket_appdata(session, &ticket, &len2); LAPPEND_BARRAY(interp, objPtr, "ticket_app_data", ticket, (int) len2); / Get master key / len2 = SSL_SESSION_get_master_key(session, buffer, SSL_MAX_MASTER_KEY_LENGTH); LAPPEND_BARRAY(interp, objPtr, "master_key", buffer, (int) len2); / Compression id / unsigned int id = SSL_SESSION_get_compress_id(session); LAPPEND_STR(interp, objPtr, "compression_id", id == 1 ? "zlib" : "none", -1); } / Compression info */
︙			︙
2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 ~~2390 2391 2392 2393 2394 2395 2396 2397 2398 2399 2400 2401 2402 2403 2404 2405 2406 2407 2408 2409 2410 2411 2412 2413 2414~~ 2415 ~~2416~~ 2417 2418 ~~2419 2420~~ 2421 2422 2423 2424 2425 2426 2427 2428 2429 2430 2431 2432 2433 2434 2435 2436 2437 2438 2439 ~~2440 2441~~ 2442 2443 2444 2445 2446 2447 2448	/* CA List / / IF not a server, same as SSL_get0_peer_CA_list. If server same as SSL_CTX_get_client_CA_list / listPtr = Tcl_NewListObj(0, NULL); STACK_OF(X509_NAME) ca_list; if ((ca_list = SSL_get_client_CA_list(ssl)) != NULL) { char buffer[BUFSIZ]; for (int i = 0; i < sk_X509_NAME_num(ca_list); i++) { X509_NAME name = sk_X509_NAME_value(ca_list, i); if (name) { X509_NAME_oneline(name, buffer, BUFSIZ); Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(buffer, -1)); } } } LAPPEND_OBJ(interp, objPtr, "caList", listPtr); LAPPEND_INT(interp, objPtr, "caListCount", sk_X509_NAME_num(ca_list)); ~~Tcl_SetObjResult(interp, objPtr);~~ ~~return TCL_OK;~~ ~~clientData = clientData;~~ } / ------------------------------------------------------------------- * VersionObjCmd -- return version string from OpenSSL. * * Results: * A standard Tcl result. * * Side effects: * None. * ------------------------------------------------------------------- / ~~static int~~ ~~VersionObjCmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) {~~ ~~Tcl_Obj objPtr;~~ ~~dprintf("Called");~~ ~~objPtr = Tcl_NewStringObj(OPENSSL_VERSION_TEXT, -1);~~ Tcl_SetObjResult(interp, objPtr); return TCL_OK; clientData = clientData; ~~objc = objc;~~ ~~objv = objv;~~ } / ------------------------------------------------------------------- * MiscObjCmd -- misc commands * * Results: * A standard Tcl result. * * Side effects: * None. * ------------------------------------------------------------------- / static int MiscObjCmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) { static const char *commands [] = { "req", "strreq", NULL }; enum command { C_REQ, C_STRREQ, C_DUMMY }; ~~~~Tcl_Size cmd;~~ int isStr;~~ char buffer[16384]; dprintf("Called"); if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "subcommand ?args?"); return TCL_ERROR;	> < < < \| < < < < < < < < < < < < < < < < < < < < < < < < < \|	2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212	/* CA List / / IF not a server, same as SSL_get0_peer_CA_list. If server same as SSL_CTX_get_client_CA_list / listPtr = Tcl_NewListObj(0, NULL); STACK_OF(X509_NAME) ca_list; if ((ca_list = SSL_get_client_CA_list(ssl)) != NULL) { char buffer[BUFSIZ]; for (int i = 0; i < sk_X509_NAME_num(ca_list); i++) { X509_NAME name = sk_X509_NAME_value(ca_list, i); if (name) { X509_NAME_oneline(name, buffer, BUFSIZ); Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(buffer, -1)); } } } LAPPEND_OBJ(interp, objPtr, "caList", listPtr); LAPPEND_INT(interp, objPtr, "caListCount", sk_X509_NAME_num(ca_list)); Tcl_SetObjResult(interp, objPtr); return TCL_OK; clientData = clientData; } / ------------------------------------------------------------------- * MiscObjCmd -- misc commands * * Results: * A standard Tcl result. * * Side effects: * None. * ------------------------------------------------------------------- / static int MiscObjCmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) { static const char *commands [] = { "req", "strreq", NULL }; enum command { C_REQ, C_STRREQ, C_DUMMY }; int cmd, isStr; char buffer[16384]; dprintf("Called"); if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "subcommand ?args?"); return TCL_ERROR;
︙			︙
2457 2458 2459 2460 2461 2462 2463 ~~2464 2465~~ 2466 2467 2468 2469 2470 2471 2472	switch ((enum command) cmd) { case C_REQ: case C_STRREQ: { EVP_PKEY pkey=NULL; X509 cert=NULL; X509_NAME name=NULL; Tcl_Obj listv; ~~Tcl_Size~~ listc; ~~int i;~~ BIO out=NULL; char k_C="",k_ST="",k_L="",k_O="",k_OU="",k_CN="",k_Email=""; char keyout,pemout,str; int keysize,serial=0,days=365;	\| <	2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235	switch ((enum command) cmd) { case C_REQ: case C_STRREQ: { EVP_PKEY pkey=NULL; X509 cert=NULL; X509_NAME name=NULL; Tcl_Obj listv; int listc,i; BIO out=NULL; char k_C="",k_ST="",k_L="",k_O="",k_OU="",k_CN="",k_Email=""; char keyout,pemout,str; int keysize,serial=0,days=365;

︙			︙
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36	/* Define maximum certificate size. Max PEM size 100kB and DER size is 24kB. / #define CERT_STR_SIZE 32768 / * Binary string to hex string / ~~int String_to_Hex(char input, int ilen, char output, int olen) {~~ int count = 0; for (int i = 0; i < ilen && count < olen - 1; i++, count += 2) { ~~sprintf(output + count, "%02X", input[i] & 0xff);~~ } ~~~~output[count]~~ = 0;~~ return count; } / * BIO to Buffer / int BIO_to_Buffer(int result, BIO bio, void *buffer, int size) {	\| > > > < > > \|	16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40	/* Define maximum certificate size. Max PEM size 100kB and DER size is 24kB. / #define CERT_STR_SIZE 32768 / * Binary string to hex string / int String_to_Hex(unsigned char input, int ilen, unsigned char output, int olen) { int count = 0; unsigned char iptr = input; unsigned char optr = &output[0]; const char hex = "0123456789abcdef"; for (int i = 0; i < ilen && count < olen - 1; i++, count += 2) { optr++ = hex[(iptr>>4)&0xF]; optr++ = hex[(iptr++)&0xF]; } optr = 0; return count; } / * BIO to Buffer / int BIO_to_Buffer(int result, BIO bio, void *buffer, int size) {
︙			︙
75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92	/ Tcl_Obj Tls_x509Identifier(ASN1_OCTET_STRING astring) { Tcl_Obj resultPtr = NULL; int len = 0; char buffer[1024]; if (astring != NULL) { ~~len = String_to_Hex(~~(char )~~ASN1_STRING_get0_data(astring),~~ ASN1_STRING_length(astring), buffer, 1024); } ~~resultPtr = Tcl_NewStringObj(buffer, ~~(Tcl_Size)~~ len);~~ return resultPtr; } / * Get Key Usage / Tcl_Obj Tls_x509KeyUsage(Tcl_Interp interp, X509 cert, uint32_t xflags) {	\| \|	79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96	/ Tcl_Obj Tls_x509Identifier(ASN1_OCTET_STRING astring) { Tcl_Obj resultPtr = NULL; int len = 0; char buffer[1024]; if (astring != NULL) { len = String_to_Hex(ASN1_STRING_get0_data(astring), ASN1_STRING_length(astring), buffer, 1024); } resultPtr = Tcl_NewStringObj(buffer, len); return resultPtr; } /* * Get Key Usage / Tcl_Obj Tls_x509KeyUsage(Tcl_Interp interp, X509 cert, uint32_t xflags) {
︙			︙
200 201 202 203 204 205 206 ~~207~~ 208 209 210 211 212 213 214	} if (names = X509_get_ext_d2i(cert, nid, NULL, NULL)) { for (int i=0; i < sk_GENERAL_NAME_num(names); i++) { const GENERAL_NAME name = sk_GENERAL_NAME_value(names, i); len = BIO_to_Buffer(name && GENERAL_NAME_print(bio, name), bio, buffer, 1024); ~~LAPPEND_STR(interp, listPtr, NULL, buffer, ~~(Tcl_Size)~~ len);~~ } sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); } return listPtr; } /	\|	204 205 206 207 208 209 210 211 212 213 214 215 216 217 218	} if (names = X509_get_ext_d2i(cert, nid, NULL, NULL)) { for (int i=0; i < sk_GENERAL_NAME_num(names); i++) { const GENERAL_NAME name = sk_GENERAL_NAME_value(names, i); len = BIO_to_Buffer(name && GENERAL_NAME_print(bio, name), bio, buffer, 1024); LAPPEND_STR(interp, listPtr, NULL, buffer, len); } sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); } return listPtr; } /
︙			︙
277 278 279 280 281 282 283 ~~284~~ 285 286 287 288 289 290 291 292 ~~293~~ 294 295 296 297 298 299 300	if (distpoint->type == 0) { /* full-name GENERALIZEDNAME / for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) { GENERAL_NAME gen = sk_GENERAL_NAME_value(distpoint->name.fullname, j); int type; ASN1_STRING uri = GENERAL_NAME_get0_value(gen, &type); if (type == GEN_URI) { ~~LAPPEND_STR(interp, listPtr, NULL, ASN1_STRING_get0_data(uri), ~~(Tcl_Size)~~ ASN1_STRING_length(uri));~~ } } } else if (distpoint->type == 1) { / relative-name X509NAME / STACK_OF(X509_NAME_ENTRY) sk_relname = distpoint->name.relativename; for (int j = 0; j < sk_X509_NAME_ENTRY_num(sk_relname); j++) { X509_NAME_ENTRY e = sk_X509_NAME_ENTRY_value(sk_relname, j); ASN1_STRING d = X509_NAME_ENTRY_get_data(e); ~~LAPPEND_STR(interp, listPtr, NULL, ASN1_STRING_data(d), ~~(Tcl_Size)~~ ASN1_STRING_length(d));~~ } } } CRL_DIST_POINTS_free(crl); } return listPtr; }	\| \|	281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304	if (distpoint->type == 0) { /* full-name GENERALIZEDNAME / for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) { GENERAL_NAME gen = sk_GENERAL_NAME_value(distpoint->name.fullname, j); int type; ASN1_STRING uri = GENERAL_NAME_get0_value(gen, &type); if (type == GEN_URI) { LAPPEND_STR(interp, listPtr, NULL, ASN1_STRING_get0_data(uri), ASN1_STRING_length(uri)); } } } else if (distpoint->type == 1) { / relative-name X509NAME / STACK_OF(X509_NAME_ENTRY) sk_relname = distpoint->name.relativename; for (int j = 0; j < sk_X509_NAME_ENTRY_num(sk_relname); j++) { X509_NAME_ENTRY e = sk_X509_NAME_ENTRY_value(sk_relname, j); ASN1_STRING d = X509_NAME_ENTRY_get_data(e); LAPPEND_STR(interp, listPtr, NULL, ASN1_STRING_data(d), ASN1_STRING_length(d)); } } } CRL_DIST_POINTS_free(crl); } return listPtr; }
︙			︙
331 332 333 334 335 336 337 ~~338~~ 339 340 341 342 343 344 345	if (ads = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL)) { for (int i = 0; i < sk_ACCESS_DESCRIPTION_num(ads); i++) { ad = sk_ACCESS_DESCRIPTION_value(ads, i); if (OBJ_obj2nid(ad->method) == NID_ad_ca_issuers && ad->location) { if (ad->location->type == GEN_URI) { len = ASN1_STRING_to_UTF8(&buf, ad->location->d.uniformResourceIdentifier); ~~Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(buf, ~~(Tcl_Size)~~ len));~~ OPENSSL_free(buf); break; } } } /* sk_ACCESS_DESCRIPTION_pop_free(ads, ACCESS_DESCRIPTION_free); */ AUTHORITY_INFO_ACCESS_free(ads);	\|	335 336 337 338 339 340 341 342 343 344 345 346 347 348 349	if (ads = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL)) { for (int i = 0; i < sk_ACCESS_DESCRIPTION_num(ads); i++) { ad = sk_ACCESS_DESCRIPTION_value(ads, i); if (OBJ_obj2nid(ad->method) == NID_ad_ca_issuers && ad->location) { if (ad->location->type == GEN_URI) { len = ASN1_STRING_to_UTF8(&buf, ad->location->d.uniformResourceIdentifier); Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(buf, len)); OPENSSL_free(buf); break; } } } /* sk_ACCESS_DESCRIPTION_pop_free(ads, ACCESS_DESCRIPTION_free); */ AUTHORITY_INFO_ACCESS_free(ads);
︙			︙
391 392 393 394 395 396 397 ~~398~~ 399 400 401 402 403 404 405 ~~406~~ 407 408 409 410 411 412 413 ~~414~~ 415 416 417 418 419 ~~420~~ 421 422 423 ~~424~~ 425 426 427 428 ~~429~~ 430 431 432 ~~433 434~~ 435 436 437 438 ~~439 440~~ 441 442 443 444 445 446 447 448 449 450 451 452 453 454 ~~455~~ 456 457 458 459 460 ~~461~~ 462 463 464 465 466 467 ~~468~~ 469 470 471 472 473 474 475 476 477 478 ~~479~~ 480 481 482 483 484 485 486 487 488 489 ~~490~~ 491 492 493 ~~494~~ 495 496 497 498 499 500 ~~501~~ 502 503 504 505 506 507 508 509 510 511 512 513 514 ~~515~~ 516 517 518 519 520 521 522	int sig_nid; X509_get0_signature(&sig, &sig_alg, cert); /* sig_nid = X509_get_signature_nid(cert) / sig_nid = OBJ_obj2nid(sig_alg->algorithm); LAPPEND_STR(interp, certPtr, "signatureAlgorithm", OBJ_nid2ln(sig_nid), -1); len = (sig_nid != NID_undef) ? String_to_Hex(sig->data, sig->length, buffer, BUFSIZ) : 0; ~~LAPPEND_STR(interp, certPtr, "signatureValue", buffer, ~~(Tcl_Size)~~ len);~~ } / Version of the encoded certificate - RFC 5280 section 4.1.2.1 / LAPPEND_LONG(interp, certPtr, "version", X509_get_version(cert)+1); / Unique number assigned by CA to certificate - RFC 5280 section 4.1.2.2 / len = BIO_to_Buffer(i2a_ASN1_INTEGER(bio, X509_get0_serialNumber(cert)), bio, buffer, BUFSIZ); ~~LAPPEND_STR(interp, certPtr, "serialNumber", buffer, ~~(Tcl_Size)~~ len);~~ / Signature algorithm used by the CA to sign the certificate. Must match signatureAlgorithm. RFC 5280 section 4.1.2.3 / LAPPEND_STR(interp, certPtr, "signature", OBJ_nid2ln(X509_get_signature_nid(cert)), -1); / Issuer identifies the entity that signed and issued the cert. RFC 5280 section 4.1.2.4 / len = BIO_to_Buffer(X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0, flags), bio, buffer, BUFSIZ); ~~LAPPEND_STR(interp, certPtr, "issuer", buffer, ~~(Tcl_Size)~~ len);~~ / Certificate validity period is the interval the CA warrants that it will maintain info on the status of the certificate. RFC 5280 section 4.1.2.5 / / Get Validity - Not Before / len = BIO_to_Buffer(ASN1_TIME_print(bio, X509_get0_notBefore(cert)), bio, buffer, BUFSIZ); ~~LAPPEND_STR(interp, certPtr, "notBefore", buffer, ~~(Tcl_Size)~~ len);~~ / Get Validity - Not After / len = BIO_to_Buffer(ASN1_TIME_print(bio, X509_get0_notAfter(cert)), bio, buffer, BUFSIZ); ~~LAPPEND_STR(interp, certPtr, "notAfter", buffer, ~~(Tcl_Size)~~ len);~~ / Subject identifies the entity associated with the public key stored in the subject public key field. RFC 5280 section 4.1.2.6 / len = BIO_to_Buffer(X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, flags), bio, buffer, BUFSIZ); ~~LAPPEND_STR(interp, certPtr, "subject", buffer, ~~(Tcl_Size)~~ len);~~ / SHA1 Digest (Fingerprint) of cert - DER representation / if (X509_digest(cert, EVP_sha1(), md, &len)) { ~~len = String_to_Hex(md, len, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "sha1_hash", buffer, ~~(Tcl_Size)~~ len);~~ } / SHA256 Digest (Fingerprint) of cert - DER representation / if (X509_digest(cert, EVP_sha256(), md, &len)) { ~~len = String_to_Hex(md, len, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "sha256_hash", buffer, ~~(Tcl_Size)~~ len);~~ } / Subject Public Key Info specifies the public key and identifies the algorithm with which the key is used. RFC 5280 section 4.1.2.7 / if (X509_get_signature_info(cert, &mdnid, &pknid, &bits, &xflags)) { ASN1_BIT_STRING key; unsigned int n; LAPPEND_STR(interp, certPtr, "signingDigest", OBJ_nid2ln(mdnid), -1); LAPPEND_STR(interp, certPtr, "publicKeyAlgorithm", OBJ_nid2ln(pknid), -1); LAPPEND_INT(interp, certPtr, "bits", bits); /* Effective security bits / key = X509_get0_pubkey_bitstr(cert); len = String_to_Hex(key->data, key->length, buffer, BUFSIZ); ~~LAPPEND_STR(interp, certPtr, "publicKey", buffer, ~~(Tcl_Size)~~ len);~~ len = 0; if (X509_pubkey_digest(cert, EVP_get_digestbynid(pknid), md, &n)) { len = String_to_Hex(md, (int)n, buffer, BUFSIZ); } ~~LAPPEND_STR(interp, certPtr, "publicKeyHash", buffer, ~~(Tcl_Size)~~ len);~~ / digest of the DER representation of the certificate / len = 0; if (X509_digest(cert, EVP_get_digestbynid(mdnid), md, &n)) { len = String_to_Hex(md, (int)n, buffer, BUFSIZ); } ~~LAPPEND_STR(interp, certPtr, "signatureHash", buffer, ~~(Tcl_Size)~~ len);~~ } / Certificate Purpose. Call before checking for extensions. / LAPPEND_STR(interp, certPtr, "purpose", Tls_x509Purpose(cert), -1); LAPPEND_OBJ(interp, certPtr, "certificatePurpose", Tls_x509Purposes(interp, cert)); / Get extensions flags / xflags = X509_get_extension_flags(cert); LAPPEND_INT(interp, certPtr, "extFlags", xflags); ~~/ Check if cert was issued by CA cert issuer or self signed /~~ LAPPEND_BOOL(interp, certPtr, "selfIssued", xflags & EXFLAG_SI); LAPPEND_BOOL(interp, certPtr, "selfSigned", xflags & EXFLAG_SS); LAPPEND_BOOL(interp, certPtr, "isProxyCert", xflags & EXFLAG_PROXY); LAPPEND_BOOL(interp, certPtr, "extInvalid", xflags & EXFLAG_INVALID); LAPPEND_BOOL(interp, certPtr, "isCACert", X509_check_ca(cert)); / The Unique Ids are used to handle the possibility of reuse of subject and/or issuer names over time. RFC 5280 section 4.1.2.8 / { const ASN1_BIT_STRING iuid, suid; ~~X509_get0_uids(cert, &iuid, &suid);~~ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("issuerUniqueId", -1)); if (iuid != NULL) { ~~Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((char )iuid->data, ~~(Tcl_Size)~~ iuid->length));~~ } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); } Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectUniqueId", -1)); if (suid != NULL) { ~~Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((char )suid->data, ~~(Tcl_Size)~~ suid->length));~~ } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); } } / X509 v3 Extensions - RFC 5280 section 4.1.2.9 / LAPPEND_INT(interp, certPtr, "extCount", X509_get_ext_count(cert)); LAPPEND_OBJ(interp, certPtr, "extensions", Tls_x509Extensions(interp, cert)); / Authority Key Identifier (AKI) is the Subject Key Identifier (SKI) of its signer (the CA). RFC 5280 section 4.2.1.1, NID_authority_key_identifier / LAPPEND_OBJ(interp, certPtr, "authorityKeyIdentifier", Tls_x509Identifier(X509_get0_authority_key_id(cert))); / Subject Key Identifier (SKI) is used to identify certificates that contain a particular public key. RFC 5280 section 4.2.1.2, NID_subject_key_identifier / LAPPEND_OBJ(interp, certPtr, "subjectKeyIdentifier", Tls_x509Identifier(X509_get0_subject_key_id(cert))); / Key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key in the certificate. RFC 5280 section 4.2.1.3, NID_key_usage */	\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526	int sig_nid; X509_get0_signature(&sig, &sig_alg, cert); /* sig_nid = X509_get_signature_nid(cert) / sig_nid = OBJ_obj2nid(sig_alg->algorithm); LAPPEND_STR(interp, certPtr, "signatureAlgorithm", OBJ_nid2ln(sig_nid), -1); len = (sig_nid != NID_undef) ? String_to_Hex(sig->data, sig->length, buffer, BUFSIZ) : 0; LAPPEND_STR(interp, certPtr, "signatureValue", buffer, len); } / Version of the encoded certificate - RFC 5280 section 4.1.2.1 / LAPPEND_LONG(interp, certPtr, "version", X509_get_version(cert)+1); / Unique number assigned by CA to certificate - RFC 5280 section 4.1.2.2 / len = BIO_to_Buffer(i2a_ASN1_INTEGER(bio, X509_get0_serialNumber(cert)), bio, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "serialNumber", buffer, len); / Signature algorithm used by the CA to sign the certificate. Must match signatureAlgorithm. RFC 5280 section 4.1.2.3 / LAPPEND_STR(interp, certPtr, "signature", OBJ_nid2ln(X509_get_signature_nid(cert)), -1); / Issuer identifies the entity that signed and issued the cert. RFC 5280 section 4.1.2.4 / len = BIO_to_Buffer(X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0, flags), bio, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "issuer", buffer, len); / Certificate validity period is the interval the CA warrants that it will maintain info on the status of the certificate. RFC 5280 section 4.1.2.5 / / Get Validity - Not Before / len = BIO_to_Buffer(ASN1_TIME_print(bio, X509_get0_notBefore(cert)), bio, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "notBefore", buffer, len); / Get Validity - Not After / len = BIO_to_Buffer(ASN1_TIME_print(bio, X509_get0_notAfter(cert)), bio, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "notAfter", buffer, len); / Subject identifies the entity associated with the public key stored in the subject public key field. RFC 5280 section 4.1.2.6 / len = BIO_to_Buffer(X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, flags), bio, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "subject", buffer, len); / SHA1 Digest (Fingerprint) of cert - DER representation / if (X509_digest(cert, EVP_sha1(), md, &len)) { len = String_to_Hex(md, len, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "sha1_hash", buffer, len); } / SHA256 Digest (Fingerprint) of cert - DER representation / if (X509_digest(cert, EVP_sha256(), md, &len)) { len = String_to_Hex(md, len, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "sha256_hash", buffer, len); } / Subject Public Key Info specifies the public key and identifies the algorithm with which the key is used. RFC 5280 section 4.1.2.7 / if (X509_get_signature_info(cert, &mdnid, &pknid, &bits, &xflags)) { ASN1_BIT_STRING key; unsigned int n; LAPPEND_STR(interp, certPtr, "signingDigest", OBJ_nid2ln(mdnid), -1); LAPPEND_STR(interp, certPtr, "publicKeyAlgorithm", OBJ_nid2ln(pknid), -1); LAPPEND_INT(interp, certPtr, "bits", bits); /* Effective security bits / key = X509_get0_pubkey_bitstr(cert); len = String_to_Hex(key->data, key->length, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "publicKey", buffer, len); len = 0; if (X509_pubkey_digest(cert, EVP_get_digestbynid(pknid), md, &n)) { len = String_to_Hex(md, (int)n, buffer, BUFSIZ); } LAPPEND_STR(interp, certPtr, "publicKeyHash", buffer, len); / digest of the DER representation of the certificate / len = 0; if (X509_digest(cert, EVP_get_digestbynid(mdnid), md, &n)) { len = String_to_Hex(md, (int)n, buffer, BUFSIZ); } LAPPEND_STR(interp, certPtr, "signatureHash", buffer, len); } / Certificate Purpose. Call before checking for extensions. / LAPPEND_STR(interp, certPtr, "purpose", Tls_x509Purpose(cert), -1); LAPPEND_OBJ(interp, certPtr, "certificatePurpose", Tls_x509Purposes(interp, cert)); / Get extensions flags / xflags = X509_get_extension_flags(cert); LAPPEND_INT(interp, certPtr, "extFlags", xflags); / Check if cert was issued by CA cert issuer or self signed / LAPPEND_BOOL(interp, certPtr, "selfIssued", xflags & EXFLAG_SI); LAPPEND_BOOL(interp, certPtr, "selfSigned", xflags & EXFLAG_SS); LAPPEND_BOOL(interp, certPtr, "isProxyCert", xflags & EXFLAG_PROXY); LAPPEND_BOOL(interp, certPtr, "extInvalid", xflags & EXFLAG_INVALID); LAPPEND_BOOL(interp, certPtr, "isCACert", X509_check_ca(cert)); / The Unique Ids are used to handle the possibility of reuse of subject and/or issuer names over time. RFC 5280 section 4.1.2.8 / { const ASN1_BIT_STRING iuid, suid; X509_get0_uids(cert, &iuid, &suid); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("issuerUniqueId", -1)); if (iuid != NULL) { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((char )iuid->data, iuid->length)); } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); } Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectUniqueId", -1)); if (suid != NULL) { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((char )suid->data, suid->length)); } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); } } / X509 v3 Extensions - RFC 5280 section 4.1.2.9 / LAPPEND_INT(interp, certPtr, "extCount", X509_get_ext_count(cert)); LAPPEND_OBJ(interp, certPtr, "extensions", Tls_x509Extensions(interp, cert)); / Authority Key Identifier (AKI) is the Subject Key Identifier (SKI) of its signer (the CA). RFC 5280 section 4.2.1.1, NID_authority_key_identifier / LAPPEND_OBJ(interp, certPtr, "authorityKeyIdentifier", Tls_x509Identifier(X509_get0_authority_key_id(cert))); / Subject Key Identifier (SKI) is used to identify certificates that contain a particular public key. RFC 5280 section 4.2.1.2, NID_subject_key_identifier / LAPPEND_OBJ(interp, certPtr, "subjectKeyIdentifier", Tls_x509Identifier(X509_get0_subject_key_id(cert))); / Key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key in the certificate. RFC 5280 section 4.2.1.3, NID_key_usage */
︙			︙
581 582 583 584 585 586 587 ~~588~~ 589 590 591 592 593 594 595 596 ~~597~~ 598 599 600 ~~601~~ 602 603 604 605 606	/* Subject Information Access - RFC 5280 section 4.2.2.2, NID_sinfo_access / / Certificate Alias. If uses a PKCS#12 structure, alias will reflect the friendlyName attribute (RFC 2985). / { len = 0; char string = X509_alias_get0(cert, &len); ~~LAPPEND_STR(interp, certPtr, "alias", string, ~~(Tcl_Size)~~ len);~~ } /* Certificate and dump all data / { char certStr[CERT_STR_SIZE]; / Get certificate / len = BIO_to_Buffer(PEM_write_bio_X509(bio, cert), bio, certStr, CERT_STR_SIZE); ~~LAPPEND_STR(interp, certPtr, "certificate", certStr, ~~(Tcl_Size)~~ len);~~ / Get all cert info */ len = BIO_to_Buffer(X509_print_ex(bio, cert, flags, 0), bio, certStr, CERT_STR_SIZE); ~~LAPPEND_STR(interp, certPtr, "all", certStr, ~~(Tcl_Size)~~ len);~~ } BIO_free(bio); return certPtr; }	\| \| \|	585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610	/* Subject Information Access - RFC 5280 section 4.2.2.2, NID_sinfo_access / / Certificate Alias. If uses a PKCS#12 structure, alias will reflect the friendlyName attribute (RFC 2985). / { len = 0; char string = X509_alias_get0(cert, &len); LAPPEND_STR(interp, certPtr, "alias", string, len); } /* Certificate and dump all data / { char certStr[CERT_STR_SIZE]; / Get certificate / len = BIO_to_Buffer(PEM_write_bio_X509(bio, cert), bio, certStr, CERT_STR_SIZE); LAPPEND_STR(interp, certPtr, "certificate", certStr, len); / Get all cert info */ len = BIO_to_Buffer(X509_print_ex(bio, cert, flags, 0), bio, certStr, CERT_STR_SIZE); LAPPEND_STR(interp, certPtr, "all", certStr, len); } BIO_free(bio); return certPtr; }