TclTLS: Changes On Branch 917a43a776bfd3f6

Changes In Branch crypto Through [917a43a776] Excluding Merge-Ins

This is equivalent to a diff from 914ac6b2a4 to 917a43a776

2023-11-23
04:17		Added more test cases to check for errors, test mac command, etc. check-in: 4ba41f1db2 user: bohagan tags: crypto
03:26		Added early version of mac command. Added back ability to provide data as last arg without -data option. check-in: 917a43a776 user: bohagan tags: crypto
02:52		Added more message digest test cases from RFC 6234 and info command error test cases check-in: c6b0a3cd11 user: bohagan tags: crypto
2023-11-22
22:18		Fix to IO test missing set blocking value. See https://core.tcl-lang.org/tcltls/tktview/bb7085cfdc check-in: 104e43c85e user: bohagan tags: trunk
2023-10-28
17:30		Merged in changes from master check-in: 1de7e0ec74 user: bohagan tags: crypto
17:20		Optimized TLS channel type definition check-in: 914ac6b2a4 user: bohagan tags: trunk
2023-10-09
19:08		Updated to latest TEA and Tcl Config check-in: ec0cc9fbdf user: bohagan tags: trunk

Modified configure from [4c56eae107] to [285f813da9].

Modified configure.ac from [ac9d3aa5eb] to [48f68fd73a].

Modified doc/tls.html from [9494c1c42e] to [b95229bb9c].

Modified generic/tclOpts.h from [fee5089a30] to [c197957f96].

Modified generic/tls.c from [f4a59d7949] to [66b088c361].

Modified generic/tlsBIO.c from [904acc3cbd] to [3977ec0a04].

Added generic/tlsDigest.c version [4e866a5357].

Modified generic/tlsIO.c from [fb8d969c33] to [0b06e53585].

Added generic/tlsInfo.c version [8baec4a647].

Modified generic/tlsInt.h from [0103fefac9] to [f793362aa1].

Modified generic/tlsX509.c from [a931d05109] to [ead2e837f3].

Modified tests/badssl.csv from [8df90efe9b] to [3b4cb80289].

Modified tests/badssl.test from [66893a8fa7] to [ef286e344c].

Deleted tests/ciphers.csv version [f4aff3652a].

Deleted tests/ciphers.test version [212c1bf055].

Added tests/common.tcl version [019f917847].

Added tests/digest.csv version [8676887f95].

Added tests/digest.test version [6439f34d44].

Added tests/info.csv version [e9434748d4].

Added tests/info.test version [a2f4e9e8c8].

Modified tests/make_test_files.tcl from [c31b96320d] to [fcabf4c415].

Modified win/makefile.vc from [11d5b7bf2c] to [f23472ab04].

︙
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 ~~67 68 69~~ 70 71 72 73 74 75 76	27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100	+ - + + + + + + + + + + + + - + + - - - + + + + + + + + + + + + + +	<dd><b>tls::socket</b> <em> ?-server command? ?options? port</em></dd> <dd><b>tls::handshake</b> <em> channel</em></dd> <dd><b>tls::status </b> <em>?-local? channel</em></dd> <dd><b>tls::connection </b> <em>channel</em></dd> <dd><b>tls::import</b> <em>channel ?options?</em></dd> <dd><b>tls::unimport</b> <em>channel</em></dd> <dt> </dt> <dd><b>tls::cipher</b> <em>name</em></dd> ~~<dd><b>tls::ciphers </b> <em>protocol ?verbose? ?supported?</em></dd>~~ <dd><b>tls::ciphers</b> <em>?protocol? ?verbose? ?supported?</em></dd> <dd><b>tls::digests</b> <em>?name?</em></dd> <dd><b>tls::macs</b></dd> <dd><b>tls::protocols</b></dd> <dd><b>tls::version</b></dd> <dt> </dt> <dd><b>tls::digest</b> <b>-digest</b> <em>name ?options?</em></dd> <dd><b>tls::cmac</b> <b>-cipher</b> <em>name</em> <b>-key</b> <em>key ?options?</em></dd> <dd><b>tls::hmac</b> <b>-digest</b> <em>name</em> <b>-key</b> <em>key ?options?</em></dd> <dd><b>tls::md4</b> <em>data</em></dd> <dd><b>tls::md5</b> <em>data</em></dd> <dd><b>tls::sha1</b> <em>data</em></dd> <dd><b>tls::sha256</b> <em>data</em></dd> <dd><b>tls::sha512</b> <em>data</em></dd> </dl> </dd> <dd><a href="#COMMANDS">COMMANDS</a></dd> <dd><a href="#CALLBACK OPTIONS">CALLBACK OPTIONS</a></dd> <dd><a href="#HTTPS EXAMPLE">HTTPS EXAMPLE</a></dd> <dd><a href="#SEE ALSO">SPECIAL CONSIDERATIONS</a></dd> <dd><a href="#SEE ALSO">SEE ALSO</a></dd> </dl> <hr> <h3><a name="NAME">NAME</a></h3> <p><strong>tls</strong> - binding to <strong>OpenSSL</strong> toolkit.</p> <h3><a name="SYNOPSIS">SYNOPSIS</a></h3> ~~<p><b>package require Tcl 8.4</b><br>~~ <p><b>package require Tcl 8.5</b><br> <b>package require tls</b><br> <br> <a href="#tls::init"><b>tls::init</b> <i>?options?</i></a><br> <a href="#tls::socket"><b>tls::socket</b> <i>?options? host port</i><br> <a href="#tls::socket"><b>tls::socket</b> <i>?-server command? ?options? port</i></a><br> <a href="#tls::status"><b>tls::status</b> <i>?-local? channel</i></a><br> <a href="#tls::connection"><b>tls::connection</b> <i>channel</i></a><br> <a href="#tls::handshake"><b>tls::handshake</b> <i>channel</i></a><br> <a href="#tls::import"><b>tls::import</b> <i>channel ?options?</i></a><br> <a href="#tls::unimport"><b>tls::unimport</b> <i>channel</i></a><br> <br> <a href="#tls::cipher"><b>tls::cipher</b> <i>name</i></a><br> ~~<a href="#tls::ciphers"><b>tls::ciphers</b> <i>protocol ?verbose? ?supported?</i></a><br> <a href="#tls::protocols"><b>tls::protocols</b></a> <a href="#tls::version"><b>tls::version</b></a>~~ <a href="#tls::ciphers"><b>tls::ciphers</b> <i>?protocol? ?verbose? ?supported?</i></a><br> <a href="#tls::digests"><b>tls::digests</b> <i>?name?</i></a><br> <a href="#tls::macs"><b>tls::macs</b></a><br> <a href="#tls::protocols"><b>tls::protocols</b></a><br> <a href="#tls::version"><b>tls::version</b></a><br> <br> <a href="#tls::digest"><b>tls::digest</b> <b>-digest</b> <i>name ?options?</i></a><br> <a href="#tls::cmac"><b>tls::cmac</b> <b>-cipher</b> <i>name</i> <b>-key</b> <i>key ?options?</i></a><br> <a href="#tls::hmac"><b>tls::hmac</b> <b>-digest</b> <i>name</i> <b>-key</b> <i>key ?options?</i></a><br> <a href="#tls::md4"><b>tls::md4</b> <i>data</i></a><br> <a href="#tls::md5"><b>tls::md5</b> <i>data</i></a><br> <a href="#tls::sha1"><b>tls::sha1</b> <i>data</i></a><br> <a href="#tls::sha256"><b>tls::sha256</b> <i>data</i></a><br> <a href="#tls::sha512"><b>tls::sha512</b> <i>data</i></a><br> </p> <h3><a name="DESCRIPTION">DESCRIPTION</a></h3> <p>This extension provides a generic binding to <a href="http://www.openssl.org/">OpenSSL</a>, utilizing the <strong>Tcl_StackChannel</strong>
︙
99 100 101 102 103 104 105 ~~106~~ 107 108 109 110 111 112 113	123 124 125 126 127 128 129 130 131 132 133 134 135 136 137	- +	host port</em></a></dt> <dt><b>tls::socket</b><em> ?-server command? ?options? port</em></dt> <dd>This is a helper function that utilizes the underlying commands (<strong>tls::import</strong>). It behaves exactly the same as the native Tcl <strong>socket</strong> command except that the options can include any of the applicable <a href="#tls::import"><strong>tls:import</strong></a> ~~options with one additional option:~~ options with one additional option:</dd> <blockquote> <dl> <dt><strong>-autoservername</strong> <em>bool</em></dt> <dd>Automatically send the -servername as the <em>host</em> argument (default is <em>false</em>)</dd> </dl> </blockquote>
︙
179 180 181 182 183 184 185 ~~186~~ 187 188 189 190 191 192 193	203 204 205 206 207 208 209 210 211 212 213 214 215 216 217	- +	<dt><strong>-request </strong><em>bool</em></dt> <dd>Request a certificate from peer during SSL handshake. (default is <em>true</em>)</dd> <dt><strong>-require</strong> <em>bool</em></dt> <dd>Require a valid certificate from peer during SSL handshake. If this is set to true, then <strong>-request</strong> must also be set to true. (default is <em>false</em>)</dd> ~~<dt><strong>-securitylevel</strong> <em>integer</em></dt>~~ <dt><strong>-security_level</strong> <em>integer</em></dt> <dd>Set security level. Must be 0 to 5. The security level affects cipher suite encryption algorithms, supported ECC curves, supported signature algorithms, DH parameter sizes, certificate key sizes and signature algorithms. The default is 1. Level 3 and higher disable support for session tickets and only accept cipher suites that provide forward secrecy.</dd> <dt><strong>-server</strong> <em>bool</em></dt>
︙
228 229 230 231 232 233 234 ~~235~~ 236 237 ~~238 239~~ 240 241 242 243 244 245 246	252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270	- + - - + +	<dt><a name="tls::handshake"><strong>tls::handshake</strong> <em>channel</em></a></dt> <dd>Forces handshake to take place, and returns 0 if handshake is still in progress (non-blocking), or 1 if the handshake was successful. If the handshake failed this routine will throw an error.</dd> <dt> </dt> <dt><a name="tls::status"><strong>tls::status</strong> ~~<em>?-local? channel</em></a></dt>~~ <em>?</em><b>-local</b><em>? channel</em></a></dt> <dd>Returns the current status of the certificate for an SSL channel. The result is a list of key-value pairs describing ~~the certificate. If the result is an empty list then the~~ SSL handshake has not yet completed~~. If <em>-local</em> is~~ the certificate. If the SSL handshake has not yet completed, an empty list is returned. If <b>-local</b> is specified, then the local certificate is used.</dd> <blockquote> <b>SSL Status</b> <dl> <dt><strong>alpn</strong> <em>protocol</em></dt> <dd>The protocol selected after Application-Layer Protocol Negotiation (ALPN).</dd>
︙
350 351 352 353 354 355 356 ~~357~~ 358 ~~359~~ 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 ~~378~~ 379 380 381 382 383 ~~384~~ 385 386 387 388 389 390 391 392 393 394	374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425	- + - + + + - + + + + - + + +	<dt><strong>state</strong> <em>state</em></dt> <dd>State of the connection.</dd> <dt><strong>servername</strong> <em>name</em></dt> <dd>The name of the connected to server.</dd> <dt><strong>protocol</strong> <em>version</em></dt> <dd>The protocol version used for the connection: SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, or unknown.</dd> ~~<dt><strong>renegotiation</strong> <em>boolean</em></dt>~~ <dt><strong>renegotiation_allowed</strong> <em>boolean</em></dt> <dd>Whether protocol renegotiation is supported or not.</dd> ~~<dt><strong>securitylevel</strong> <em>level</em></dt>~~ <dt><strong>security_level</strong> <em>level</em></dt> <dd>The security level used for selection of ciphers, key size, etc.</dd> <dt><strong>session_reused</strong> <em>boolean</em></dt> <dd>Whether the session has been reused or not.</dd> <dt><strong>is_server</strong> <em>boolean</em></dt> <dd>Whether the connection is configured as a server (1) or client (0).</dd> <dt><strong>compression</strong> <em>mode</em></dt> <dd>Compression method.</dd> <dt><strong>expansion</strong> <em>mode</em></dt> <dd>Expansion method.</dd> <dt><strong>caList</strong> <em>list</em></dt> <dd>List of Certificate Authorities (CA) for X.509 certificate.</dd> </dl> </blockquote> <blockquote> <b>Cipher Info</b> <dl> <dt><strong>cipher</strong> <em>cipher</em></dt> <dd>The current cipher in use for the connection.</dd> <dt><strong>standard_name</strong> <em>name</em></dt> <dd>The standard RFC name of cipher.</dd> ~~<dt><strong>bits</strong> <em>n</em></dt>~~ <dt><strong>algorithm_bits</strong> <em>n</em></dt> <dd>The number of processed bits used for cipher.</dd> <dt><strong>secret_bits</strong> <em>n</em></dt> <dd>The number of secret bits used for cipher.</dd> <dt><strong>min_version</strong> <em>version</em></dt> <dd>The minimum protocol version for cipher.</dd> <dt><strong>cipher_is_aead</strong> <em>boolean</em></dt> <dd>Whether the cipher is Authenticated encryption with associated data (AEAD).</dd> ~~<dt><strong>id</strong> <em>id</em></dt>~~ <dt><strong>cipher_id</strong> <em>id</em></dt> <dd>The OpenSSL cipher id.</dd> <dt><strong>description</strong> <em>string</em></dt> <dd>A text description of the cipher.</dd> <dt><strong>handshake_digest</strong> <em>boolean</em></dt> <dd>Digest used during handshake.</dd> </dl> </blockquote> <blockquote> <b>Session Info</b> <dl> <dt><strong>alpn</strong> <em>protocol</em></dt> <dd>The protocol selected after Application-Layer Protocol
︙
409 410 411 412 413 414 415 416 417 ~~418 419 420~~ ~~421 422 423 424 425~~ 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441	440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581	+ + + + + - - - + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +	<dd>Unique session ticket application data.</dd> <dt><strong>master_key</strong> <em>binary_string</em></dt> <dd>Unique session master key.</dd> <dt><strong>session_cache_mode</strong> <em>mode</em></dt> <dd>Server cache mode (client, server, or both).</dd> </dl> </blockquote> <dt><a name="tls::cipher"><strong>tls::cipher</strong> <em>name</em></a></dt> <dd>Return a list of property names and values describing cipher <i>name</i>. Properties include name, description, block_size, key_length, iv_length, type, and mode list.</dd> <dt><a name="tls::ciphers"><strong>tls::ciphers</strong> <em>protocol ?verbose? ?supported?</em></a></dt> <dd>Returns a list of ~~supported~~ ciphers ~~available for~~ <em>protocol</em>, ~~where~~ protocol ~~must be one of <b>ssl2, ssl3, tls1, tls1.1,~~ <em>?protocol? ?verbose? ?supported?</em></a></dt> <dd>Without any args, returns a list of all ciphers. With <em>protocol</em>, only the ciphers supported for that protocol are returned. See <b>tls::protocols</b> command for the supported protocols. If ~~tls1.2,</b> or <b>tls1.3</b>. If <em>verbose</em> is specified as~~ true then a verbose, human readable ~~list is returned with~~ additional information on the cipher. If ~~<em>supported</em>~~ is specified as true, then only the ciphers ~~supported for protocol~~ will be listed.</dd> <em>verbose</em> is specified as true then a verbose, human readable list is returned with additional information on the cipher. If <em>supported</em> is specified as true, then only the ciphers supported for protocol will be listed.</dd> <dt><a name="tls::digests"><strong>tls::digests</strong> <em>?name?</em></a></dt> <dd>Without <em>name</em>, returns a list of the supported hash algorithms for <b>tls::digest</b> command. With <em>name</em>, returns a list of property names and values describing digest <i>name</i>. Properties include name, description, size, block_size, type, and flags list.</dd> <dt><a name="tls::macs"><strong>tls::macs</strong></a></dt> <dd>Returns a list of the available Message Authentication Codes (MAC) for the <b>tls::digest</b> command.</dd> <dt><a name="tls::protocols"><strong>tls::protocols</strong></a></dt> <dd>Returns a list of supported protocols. Valid values are: <b>ssl2</b>, <b>ssl3</b>, <b>tls1</b>, <b>tls1.1</b>, <b>tls1.2</b>, and <b>tls1.3</b>. Exact list depends on OpenSSL version and compile time flags.</dd> <dt><a name="tls::version"><strong>tls::version</strong></a></dt> <dd>Returns the OpenSSL version string.</dd> <br> <dt><a name="tls::digest"><strong>tls::digest</strong> <b>-digest</b> <em>name ?</em><b>-bin</b>\|<b>-hex</b><em>? [</em><b>-file</b> <em>filename \| </em><b>-command</b> <em>cmdName \| </em><b>-chan</b> <em>channelId \| </em><b>-data</b> <em>data]</em></a></dt> <dd>Calculate the message digest (MD) of data using <em>name</em> hash function and return the resulting hash value as a hex string (default) or as a binary value with <b>-bin</b> or <b>-binary</b> option. MDs are used to ensure the integrity of data. The hash function can be any supported OpenSSL algorithm such as <b>md4</b>, <b>md5</b>, <b>sha1</b>, <b>sha256</b>, <b>sha512</b>, <b>sha3-256</b>, etc. See <b>tls::digests</b> command for a full list. In OpenSSL 3.0+, older algorithms may reside in the legacy provider. <br> Using the <b>-data</b> option will immediately return the message digest for <em>data</em> in the specified format. Example code: <blockquote><code> set md [::tls::digest sha256 "Some example data."]<br> </code></blockquote> Using the <b>-file</b> or <b>-filename</b> option will open file <em>filename</em>, read the file data, close the file, and return the message digest in the specified format. This uses the TCL APIs, so VFS files are supported. Example code: <blockquote><code> set md [::tls::digest -digest sha256 -file test_file.txt]<br> </code></blockquote> Using the <b>-chan</b> or <b>-channel</b> option, a stacked channel is created for <em>channelId</em> and data read from the channel is used to calculate a message digest with the result returned with the last read operation before EOF. Channel is automatically set to binary mode. Example code: <blockquote><code> set ch [open test_file.txt r]<br> ::tls::digest -digest sha256 -chan $ch<br> while {![eof $ch]} {set md [read $ch 4096]}<br> close $ch </code></blockquote> Using the <b>-command</b> option, a new command <em>cmdName</em> is created and returned. To add data to the hash function, call "<em>cmdName</em> <b>update</b> <em>data</em>", where data is the data to add. When done, call "<em>cmdName</em> <b>finalize</b>" to return the message digest. Example code: <blockquote><code> set cmd [::tls::digest -digest sha256 -command ::tls::temp]<br> $cmd update "Some data. "<br> $cmd update "More data."<br> set md [$cmd finalize] </code></blockquote> </dd> <dt><a name="tls::cmac"><strong>tls::cmac</strong> <b>-cipher</b> <em>name</em> <b>-key</b> <em>key ?</em><b>-bin</b>\|<b>-hex</b><em>? [</em><b>-file</b> <em>filename \| </em><b>-command</b> <em>cmdName \| </em><b>-chan</b> <em>channelId \| </em><b>-data</b> <em>data]</em></a></dt> <dd>Calculate the Cipher-based Message Authentication Code (CMAC). MACs are used to ensure authenticity and the integrity of data. It uses the same options as <b>tls::digest</b>, plus the additional option <b>-cipher</b> to specify the cipher to use and for certain ciphers, <b>-key</b> to specify the key.</dd> <dt><a name="tls::hmac"><strong>tls::hmac</strong> <b>-digest</b> <em>name</em> <b>-key</b> <em>key ?</em><b>-bin</b>\|<b>-hex</b><em>? [</em><b>-file</b> <em>filename \| </em><b>-command</b> <em>cmdName \| </em><b>-chan</b> <em>channelId \| </em><b>-data</b> <em>data]</em></a></dt> <dd>Calculate the Hash-based Message Authentication Code (HMAC). HMACs are used to ensure the data integrity and authenticity of a message using a shared secret key. The cryptographic strength depends upon the size of the key and the security of the hash function used. It uses the same options as <b>tls::digest</b>, plus additional option <b>-key</b> to specify the key to use. To salt a password, append or prepend the salt data to the password.</dd> <dt><a name="tls::mac"><strong>tls::mac</strong> <b>-cipher</b> <em>name</em> <b>-digest</b> <em>name</em> <b>-key</b> <em>key ?</em><b>-bin</b>\|<b>-hex</b><em>? [</em><b>-file</b> <em>filename \| </em><b>-command</b> <em>cmdName \| </em><b>-chan</b> <em>channelId \| </em><b>-data</b> <em>data]</em></a></dt> <dd>(OpenSSL 3.0+) Calculate the Message Authentication Code (MAC). MACs are used to ensure authenticity and the integrity of data. It uses the same options as <b>tls::digest</b>, plus the additional options <b>-cipher</b> to specify the cipher to use, <b>-digest</b> to specify the digest, and for certain ciphers, <b>-key</b> to specify the key.</dd> <dt><a name="tls::md4"><strong>tls::md4</strong> <em>data</em></a></dt> <dd>Returns the MD4 message-digest for <em>data</em> as a hex string.</dd> <dt><a name="tls::md5"><strong>tls::md5</strong> <em>data</em></a></dt> <dd>Returns the MD5 message-digest for <em>data</em> as a hex string.</dd> <dt><a name="tls::sha1"><strong>tls::sha1</strong> <em>data</em></a></dt> <dd>Returns the SHA1 secure hash algorithm digest for <em>data</em> as a hex string.</dd> <dt><a name="tls::sha256"><strong>tls::sha256</strong> <em>data</em></a></dt> <dd>Returns the SHA-2 SHA256 secure hash algorithm digest for <em>data</em> as a hex string.</dd> <dt><a name="tls::sha512"><strong>tls::sha512</strong> <em>data</em></a></dt> <dd>Returns the SHA-2 SHA512 secure hash algorithm digest for <em>data</em> as a hex string.</dd> </dl> <h3><a name="CALLBACK OPTIONS">CALLBACK OPTIONS</a></h3> <p> As indicated above, individual channels can be given their own callbacks to handle intermediate processing by the OpenSSL library, using the
︙

︙
22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55	22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58	+ + + + -	* / #include "tlsInt.h" #include "tclOpts.h" #include <stdio.h> #include <stdlib.h> #include <openssl/crypto.h> #include <openssl/ssl.h> #include <openssl/evp.h> #include <openssl/objects.h> #include <openssl/rsa.h> #include <openssl/safestack.h> / Min OpenSSL version / #if OPENSSL_VERSION_NUMBER < 0x10101000L #error "Only OpenSSL v1.1.1 or later is supported" #endif / * External functions / / * Forward declarations / #define F2N(key, dsp) \ (((key) == NULL) ? (char ) NULL : \ Tcl_TranslateFileName(interp, (key), (dsp))) ~~#define REASON() ERR_reason_error_string(ERR_get_error())~~ static SSL_CTX CTX_Init(State statePtr, int isServer, int proto, char key, char certfile, unsigned char key_asn1, unsigned char cert_asn1, int key_asn1_len, int cert_asn1_len, char CAdir, char CAfile, char ciphers, char ciphersuites, int level, char *DHparams); static int TlsLibInit(int uninitialize);
︙
442 443 444 445 446 447 448 ~~449~~ 450 451 452 453 454 455 456	445 446 447 448 449 450 451 452 453 454 455 456 457 458 459	- +	cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("error", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); if (msg != NULL) { Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1)); ~~} else if ((msg = Tcl_GetStringFromObj(Tcl_GetObjResult(interp), ~~(Tcl_Size *)~~NULL)) != NULL) {~~ } else if ((msg = Tcl_GetStringFromObj(Tcl_GetObjResult(interp), NULL)) != NULL) { Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1)); } else { listPtr = Tcl_NewListObj(0, NULL); while ((err = ERR_get_error()) != 0) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(ERR_reason_error_string(err), -1)); }
︙
549 550 551 552 553 554 555 ~~556~~ 557 ~~558 559~~ 560 561 562 563 ~~564~~ 565 566 567 568 569 570 571	552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574	- + - - + + - +	} Tcl_DecrRefCount(cmdPtr); Tcl_Release((ClientData) statePtr); /* If successful, pass back password string and truncate if too long / if (code == TCL_OK) { ~~~~Tcl_Size~~ len;~~ int len; char ret = (char ) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); ~~if (len > ~~(Tcl_Size)~~ size-1) { len = ~~(Tcl_Size)~~ size-1;~~ if (len > size-1) { len = size-1; } strncpy(buf, ret, (size_t) len); buf[len] = '\0'; Tcl_Release((ClientData) interp); ~~return(~~(int)~~ len);~~ return(len); } Tcl_Release((ClientData) interp); return -1; } / *-------------------------------------------------------------------
︙
611 612 613 614 615 616 617 ~~618~~ 619 620 621 ~~622~~ 623 624 625 626 627 628 629	614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632	- + - +	cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("session", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); /* Session id / session_id = SSL_SESSION_get_id(session, &ulen); ~~Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewByteArrayObj(session_id, (~~Tcl_Size~~) ulen));~~ Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewByteArrayObj(session_id, (int) ulen)); / Session ticket / SSL_SESSION_get0_ticket(session, &ticket, &len2); ~~Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewByteArrayObj(ticket, (~~Tcl_Size~~) len2));~~ Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewByteArrayObj(ticket, (int) len2)); / Lifetime - number of seconds / Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewLongObj((long) SSL_SESSION_get_ticket_lifetime_hint(session))); / Eval callback command */ Tcl_IncrRefCount(cmdPtr);
︙
900 901 902 903 904 905 906 ~~907~~ 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150	903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937	- + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -	servername = (const char )p; / Create command to eval / cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("hello", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); ~~Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername, (~~Tcl_Size~~) len));~~ Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername, (int) len)); / Eval callback command / Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) { res = SSL_CLIENT_HELLO_RETRY; alert = SSL_R_TLSV1_ALERT_USER_CANCELLED; } else if (code == 1) { res = SSL_CLIENT_HELLO_SUCCESS; } else { res = SSL_CLIENT_HELLO_ERROR; alert = SSL_R_TLSV1_ALERT_INTERNAL_ERROR; } Tcl_DecrRefCount(cmdPtr); return res; } /******************/ / Commands / /******************/ / ------------------------------------------------------------------- * CiphersObjCmd -- list available ciphers * * This procedure is invoked to process the "tls::ciphers" command * to list available ciphers, based upon protocol selected. * * Results: * A standard Tcl result list. * * Side effects: * constructs and destroys SSL context (CTX) * ------------------------------------------------------------------- / ~~static const char protocols[] = {~~ ~~"ssl2", "ssl3", "tls1", "tls1.1", "tls1.2", "tls1.3", NULL~~ }; ~~enum protocol {~~ ~~TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_TLS1_3, TLS_NONE~~ }; ~~static int~~ ~~CiphersObjCmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) {~~ ~~Tcl_Obj objPtr = NULL;~~ ~~SSL_CTX ctx = NULL;~~ ~~SSL ssl = NULL;~~ ~~STACK_OF(SSL_CIPHER) sk;~~ ~~char cp, buf[BUFSIZ];~~ ~~int index, verbose = 0, use_supported = 0;~~ ~~const SSL_METHOD method;~~ ~~dprintf("Called");~~ ~~if ((objc < 2) \|\| (objc > 4)) {~~ ~~Tcl_WrongNumArgs(interp, 1, objv, "protocol ?verbose? ?supported?");~~ ~~return TCL_ERROR;~~ } ~~if (Tcl_GetIndexFromObj(interp, objv[1], protocols, "protocol", 0, &index) != TCL_OK) {~~ ~~return TCL_ERROR;~~ } ~~if ((objc > 2) && Tcl_GetBooleanFromObj(interp, objv[2], &verbose) != TCL_OK) {~~ ~~return TCL_ERROR;~~ } ~~if ((objc > 3) && Tcl_GetBooleanFromObj(interp, objv[3], &use_supported) != TCL_OK) {~~ ~~return TCL_ERROR;~~ } ~~ERR_clear_error();~~ ~~switch ((enum protocol)index) {~~ ~~case TLS_SSL2:~~ ~~#if OPENSSL_VERSION_NUMBER >= 0x10100000L \|\| defined(NO_SSL2) \|\| defined(OPENSSL_NO_SSL2)~~ ~~Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL);~~ ~~return TCL_ERROR;~~ ~~#else~~ ~~method = SSLv2_method(); break;~~ ~~#endif~~ ~~case TLS_SSL3:~~ ~~#if defined(NO_SSL3) \|\| defined(OPENSSL_NO_SSL3) \|\| defined(OPENSSL_NO_SSL3_METHOD)~~ ~~Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL);~~ ~~return TCL_ERROR;~~ ~~#else~~ ~~method = SSLv3_method(); break;~~ ~~#endif~~ ~~case TLS_TLS1:~~ ~~#if defined(NO_TLS1) \|\| defined(OPENSSL_NO_TLS1) \|\| defined(OPENSSL_NO_TLS1_METHOD)~~ ~~Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL);~~ ~~return TCL_ERROR;~~ ~~#else~~ ~~method = TLSv1_method(); break;~~ ~~#endif~~ ~~case TLS_TLS1_1:~~ ~~#if defined(NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1_METHOD)~~ ~~Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL);~~ ~~return TCL_ERROR;~~ ~~#else~~ ~~method = TLSv1_1_method(); break;~~ ~~#endif~~ ~~case TLS_TLS1_2:~~ ~~#if defined(NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2_METHOD)~~ ~~Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL);~~ ~~return TCL_ERROR;~~ ~~#else~~ ~~method = TLSv1_2_method(); break;~~ ~~#endif~~ ~~case TLS_TLS1_3:~~ ~~#if defined(NO_TLS1_3) \|\| defined(OPENSSL_NO_TLS1_3)~~ ~~Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL);~~ ~~return TCL_ERROR;~~ ~~#else~~ ~~method = TLS_method();~~ ~~SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);~~ ~~SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);~~ ~~break;~~ ~~#endif~~ ~~default:~~ ~~method = TLS_method();~~ ~~break;~~ } ~~ctx = SSL_CTX_new(method);~~ ~~if (ctx == NULL) {~~ ~~Tcl_AppendResult(interp, REASON(), NULL);~~ ~~return TCL_ERROR;~~ } ~~ssl = SSL_new(ctx);~~ ~~if (ssl == NULL) {~~ ~~Tcl_AppendResult(interp, REASON(), NULL);~~ ~~SSL_CTX_free(ctx);~~ ~~return TCL_ERROR;~~ } ~~/ Use list and order as would be sent in a ClientHello or all available ciphers /~~ ~~if (use_supported) {~~ ~~sk = SSL_get1_supported_ciphers(ssl);~~ ~~} else {~~ ~~sk = SSL_get_ciphers(ssl);~~ } ~~if (sk != NULL) {~~ ~~if (!verbose) {~~ ~~objPtr = Tcl_NewListObj(0, NULL);~~ ~~for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++) {~~ ~~const SSL_CIPHER c = sk_SSL_CIPHER_value(sk, i);~~ ~~if (c == NULL) continue;~~ ~~/* cipher name or (NONE) /~~ ~~cp = SSL_CIPHER_get_name(c);~~ ~~if (cp == NULL) break;~~ ~~Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(cp, -1));~~ } ~~} else {~~ ~~objPtr = Tcl_NewStringObj("",0);~~ ~~for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++) {~~ ~~const SSL_CIPHER c = sk_SSL_CIPHER_value(sk, i);~~ ~~if (c == NULL) continue;~~ ~~/* textual description of the cipher /~~ ~~if (SSL_CIPHER_description(c, buf, sizeof(buf)) != NULL) {~~ ~~Tcl_AppendToObj(objPtr, buf, (Tcl_Size) strlen(buf));~~ ~~} else {~~ ~~Tcl_AppendToObj(objPtr, "UNKNOWN\n", 8);~~ } } } ~~if (use_supported) {~~ ~~sk_SSL_CIPHER_free(sk);~~ } } ~~SSL_free(ssl);~~ ~~SSL_CTX_free(ctx);~~ ~~Tcl_SetObjResult(interp, objPtr);~~ ~~return TCL_OK;~~ ~~clientData = clientData;~~ } / ------------------------------------------------------------------- * ProtocolsObjCmd -- list available protocols * * This procedure is invoked to process the "tls::protocols" command * to list available protocols. * * Results: * A standard Tcl result list. * * Side effects: * none * ------------------------------------------------------------------- / ~~static int~~ ~~ProtocolsObjCmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) {~~ ~~Tcl_Obj objPtr;~~ ~~dprintf("Called");~~ ~~if (objc != 1) {~~ ~~Tcl_WrongNumArgs(interp, 1, objv, "");~~ ~~return TCL_ERROR;~~ } ~~ERR_clear_error();~~ ~~objPtr = Tcl_NewListObj(0, NULL);~~ ~~#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(NO_SSL2) && !defined(OPENSSL_NO_SSL2)~~ ~~Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_SSL2], -1));~~ ~~#endif~~ ~~#if !defined(NO_SSL3) && !defined(OPENSSL_NO_SSL3) && !defined(OPENSSL_NO_SSL3_METHOD)~~ ~~Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_SSL3], -1));~~ ~~#endif~~ ~~#if !defined(NO_TLS1) && !defined(OPENSSL_NO_TLS1) && !defined(OPENSSL_NO_TLS1_METHOD)~~ ~~Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_TLS1], -1));~~ ~~#endif~~ ~~#if !defined(NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1_METHOD)~~ ~~Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_TLS1_1], -1));~~ ~~#endif~~ ~~#if !defined(NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2_METHOD)~~ ~~Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_TLS1_2], -1));~~ ~~#endif~~ ~~#if !defined(NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_3)~~ ~~Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_TLS1_3], -1));~~ ~~#endif~~ ~~Tcl_SetObjResult(interp, objPtr);~~ ~~return TCL_OK;~~ ~~clientData = clientData;~~ } / ------------------------------------------------------------------- * HandshakeObjCmd -- * * This command is used to verify whether the handshake is complete * or not.
︙
1169 1170 1171 1172 1173 1174 1175 ~~1176~~ 1177 1178 1179 1180 1181 1182 1183	956 957 958 959 960 961 962 963 964 965 966 967 968 969 970	- +	if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); return(TCL_ERROR); } ERR_clear_error(); ~~chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], ~~(Tcl_Size )~~NULL), NULL);~~ chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], NULL), NULL); if (chan == (Tcl_Channel) NULL) { return(TCL_ERROR); } / Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
︙
1247 1248 1249 1250 1251 1252 1253 ~~1254~~ ~~1255~~ 1256 1257 1258 1259 1260 ~~1261~~ 1262 ~~1263~~ 1264 1265 1266 1267 1268 1269 1270	1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056	- + - - + - +	Tcl_Channel chan; /* The channel to set a mode on. / State statePtr; /* client state for ssl socket / SSL_CTX ctx = NULL; Tcl_Obj script = NULL; Tcl_Obj password = NULL; Tcl_Obj vcmd = NULL; Tcl_DString upperChannelTranslation, upperChannelBlocking, upperChannelEncoding, upperChannelEOFChar; ~~int idx;~~ int idx, len; ~~Tcl_Size len;~~ int flags = TLS_TCL_INIT; int server = 0; / is connection incoming or outgoing? / char keyfile = NULL; char certfile = NULL; unsigned char key = NULL; ~~~~Tcl_Size~~ key_len = 0;~~ int key_len = 0; unsigned char cert = NULL; ~~~~Tcl_Size~~ cert_len = 0;~~ int cert_len = 0; char ciphers = NULL; char ciphersuites = NULL; char CAfile = NULL; char CAdir = NULL; char DHparams = NULL; char model = NULL; char servername = NULL; /* hostname for Server Name Indication */
︙
1293 1294 1295 1296 1297 1298 1299 ~~1300~~ 1301 1302 1303 1304 1305 1306 1307 1308 ~~1309~~ 1310 1311 1312 1313 1314 1315 1316	1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102	- + - +	if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?"); return TCL_ERROR; } ERR_clear_error(); ~~chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], ~~(Tcl_Size )~~NULL), NULL);~~ chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], NULL), NULL); if (chan == (Tcl_Channel) NULL) { return TCL_ERROR; } / Make sure to operate on the topmost channel / chan = Tcl_GetTopChannel(chan); for (idx = 2; idx < objc; idx++) { ~~char opt = Tcl_GetStringFromObj(objv[idx], ~~(Tcl_Size )~~NULL);~~ char opt = Tcl_GetStringFromObj(objv[idx], NULL); if (opt[0] != '-') break; OPTOBJ("-alpn", alpn); OPTSTR("-cadir", CAdir); OPTSTR("-cafile", CAfile);
︙
1324 1325 1326 1327 1328 1329 1330 ~~1331~~ 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 ~~1344~~ 1345 1346 1347 1348 1349 1350 1351	1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137	- + - +	OPTBYTE("-key", key, key_len); OPTSTR("-keyfile", keyfile); OPTSTR("-model", model); OPTOBJ("-password", password); OPTBOOL("-post_handshake", post_handshake); OPTBOOL("-request", request); OPTBOOL("-require", require); ~~OPTINT("-securitylevel", level);~~ OPTINT("-security_level", level); OPTBOOL("-server", server); OPTSTR("-servername", servername); OPTSTR("-session_id", session_id); OPTBOOL("-ssl2", ssl2); OPTBOOL("-ssl3", ssl3); OPTBOOL("-tls1", tls1); OPTBOOL("-tls1.1", tls1_1); OPTBOOL("-tls1.2", tls1_2); OPTBOOL("-tls1.3", tls1_3); OPTOBJ("-validatecommand", vcmd); OPTOBJ("-vcmd", vcmd); OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -securitylevel, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand"); OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -security_level, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand"); return TCL_ERROR; } if (request) verify \|= SSL_VERIFY_CLIENT_ONCE \| SSL_VERIFY_PEER; if (request && require) verify \|= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; if (request && post_handshake) verify \|= SSL_VERIFY_POST_HANDSHAKE; if (verify == 0) verify = SSL_VERIFY_NONE;
︙
1422 1423 1424 1425 1426 1427 1428 ~~1429 1430~~ 1431 1432 1433 1434 1435 1436 1437	1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223	- - + +	"\": not a TLS channel", NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "CHANNEL", "INVALID", (char ) NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } ctx = ((State )Tcl_GetChannelInstanceData(chan))->ctx; } else { ~~if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, cert, ~~(int)~~ key_len, ~~(int)~~ cert_len, CAdir, CAfile, ciphers, ciphersuites, level, DHparams)) == NULL) {~~ if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, cert, key_len, cert_len, CAdir, CAfile, ciphers, ciphersuites, level, DHparams)) == NULL) { Tls_Free((char ) statePtr); return TCL_ERROR; } } statePtr->ctx = ctx;
︙
1513 1514 1515 1516 1517 1518 1519 ~~1520 1521~~ 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 ~~1538~~ 1539 1540 1541 1542 1543 ~~1544 1545 1546 1547~~ 1548 1549 1550 1551 1552 1553 1554	1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339	- - + - + - - - - + + + +	/* Enable Application-Layer Protocol Negotiation. Examples are: http/1.0, http/1.1, h2, h3, ftp, imap, pop3, xmpp-client, xmpp-server, mqtt, irc, etc. / if (alpn) { / Convert a TCL list into a protocol-list in wire-format / unsigned char protos, p; unsigned int protos_len = 0; ~~~~Tcl_Size cnt, i;~~ int j;~~ int i, len, cnt; Tcl_Obj list; if (Tcl_ListObjGetElements(interp, alpn, &cnt, &list) != TCL_OK) { Tls_Free((char ) statePtr); return TCL_ERROR; } /* Determine the memory required for the protocol-list / for (i = 0; i < cnt; i++) { Tcl_GetStringFromObj(list[i], &len); if (len > 255) { Tcl_AppendResult(interp, "ALPN protocol name too long", (char ) NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char ) NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } ~~protos_len += 1 + ~~(int)~~ len;~~ protos_len += 1 + len; } /* Build the complete protocol-list / protos = ckalloc(protos_len); / protocol-lists consist of 8-bit length-prefixed, byte strings / ~~for (j = 0, p = protos; j < cnt; j++) { char str = Tcl_GetStringFromObj(list[j], &len); p++ = ~~(unsigned char)~~ len; memcpy(p, str, ~~(size_t)~~ len);~~ for (i = 0, p = protos; i < cnt; i++) { char str = Tcl_GetStringFromObj(list[i], &len); p++ = len; memcpy(p, str, len); p += len; } / SSL_set_alpn_protos makes a copy of the protocol-list / / Note: This functions reverses the return value convention / if (SSL_set_alpn_protos(statePtr->ssl, protos, protos_len)) { Tcl_AppendResult(interp, "failed to set ALPN protocols", (char ) NULL);
︙
1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579	1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365	+	statePtr->protos_len = 0; } /* * SSL Callbacks / SSL_set_app_data(statePtr->ssl, (void )statePtr); /* point back to us / SSL_set_verify(statePtr->ssl, verify, VerifyCallback); SSL_set_info_callback(statePtr->ssl, InfoCallback); / Callback for observing protocol messages / #ifndef OPENSSL_NO_SSL_TRACE / void SSL_CTX_set_msg_callback_arg(statePtr->ctx, (void )statePtr); void SSL_CTX_set_msg_callback(statePtr->ctx, MessageCallback); /
︙
1718 1719 1720 1721 1722 1723 1724 ~~1725~~ 1726 1727 1728 1729 1730 1731 ~~1732~~ 1733 1734 1735 1736 1737 ~~1738~~ 1739 1740 1741 1742 1743 ~~1744~~ 1745 1746 1747 1748 1749 ~~1750~~ 1751 1752 1753 1754 1755 ~~1756~~ 1757 1758 1759 1760 1761 ~~1762~~ 1763 1764 1765 1766 1767 1768 1769	1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555	- + - + - + - + - + - + - +	int off = 0; int load_private_key; const SSL_METHOD method; dprintf("Called"); if (!proto) { ~~Tcl_AppendResult(interp, "no valid protocol selected", ~~(char )~~ NULL);~~ Tcl_AppendResult(interp, "no valid protocol selected", NULL); return NULL; } /* create SSL context / #if OPENSSL_VERSION_NUMBER >= 0x10100000L \|\| defined(NO_SSL2) \|\| defined(OPENSSL_NO_SSL2) if (ENABLED(proto, TLS_PROTO_SSL2)) { ~~Tcl_AppendResult(interp, "SSL2 protocol not supported", ~~(char )~~ NULL);~~ Tcl_AppendResult(interp, "SSL2 protocol not supported", NULL); return NULL; } #endif #if defined(NO_SSL3) \|\| defined(OPENSSL_NO_SSL3) if (ENABLED(proto, TLS_PROTO_SSL3)) { ~~Tcl_AppendResult(interp, "SSL3 protocol not supported", ~~(char )~~ NULL);~~ Tcl_AppendResult(interp, "SSL3 protocol not supported", NULL); return NULL; } #endif #if defined(NO_TLS1) \|\| defined(OPENSSL_NO_TLS1) if (ENABLED(proto, TLS_PROTO_TLS1)) { ~~Tcl_AppendResult(interp, "TLS 1.0 protocol not supported", ~~(char )~~ NULL);~~ Tcl_AppendResult(interp, "TLS 1.0 protocol not supported", NULL); return NULL; } #endif #if defined(NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1) if (ENABLED(proto, TLS_PROTO_TLS1_1)) { ~~Tcl_AppendResult(interp, "TLS 1.1 protocol not supported", ~~(char )~~ NULL);~~ Tcl_AppendResult(interp, "TLS 1.1 protocol not supported", NULL); return NULL; } #endif #if defined(NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2) if (ENABLED(proto, TLS_PROTO_TLS1_2)) { ~~Tcl_AppendResult(interp, "TLS 1.2 protocol not supported", ~~(char )~~ NULL);~~ Tcl_AppendResult(interp, "TLS 1.2 protocol not supported", NULL); return NULL; } #endif #if defined(NO_TLS1_3) \|\| defined(OPENSSL_NO_TLS1_3) if (ENABLED(proto, TLS_PROTO_TLS1_3)) { ~~Tcl_AppendResult(interp, "TLS 1.3 protocol not supported", ~~(char )~~ NULL);~~ Tcl_AppendResult(interp, "TLS 1.3 protocol not supported", NULL); return NULL; } #endif if (proto == 0) { / Use full range */ SSL_CTX_set_min_proto_version(ctx, 0); SSL_CTX_set_max_proto_version(ctx, 0);
︙
1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856	1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646	+ + + +	} #endif /* Force cipher selection order by server / if (!isServer) { SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); } #if OPENSSL_VERSION_NUMBER < 0x10100000L OpenSSL_add_all_algorithms(); / Load ciphers and digests / #endif SSL_CTX_set_app_data(ctx, (void)interp); /* remember the interpreter / SSL_CTX_set_options(ctx, SSL_OP_ALL); / all SSL bug workarounds / SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); / disable compression even if supported / SSL_CTX_set_options(ctx, off); / disable protocol versions / #if OPENSSL_VERSION_NUMBER < 0x10101000L SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); / handle new handshakes in background. On by default in OpenSSL 1.1.1. */
︙
2060 2061 2062 2063 2064 2065 2066 ~~2067~~ 2068 2069 2070 2071 2072 2073 2074	1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864	- +	if (objc < 2 \|\| objc > 3 \|\| (objc == 3 && !strcmp(Tcl_GetString(objv[1]), "-local"))) { Tcl_WrongNumArgs(interp, 1, objv, "?-local? channel"); return TCL_ERROR; } /* Get channel Id / ~~channelName = Tcl_GetStringFromObj(objv[(objc == 2 ? 1 : 2)], ~~(Tcl_Size )~~ NULL);~~ channelName = Tcl_GetStringFromObj(objv[(objc == 2 ? 1 : 2)], NULL); chan = Tcl_GetChannel(interp, channelName, &mode); if (chan == (Tcl_Channel) NULL) { return TCL_ERROR; } /* Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan);
︙
2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095	1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886	+	/* Get certificate for peer or self / if (objc == 2) { peer = SSL_get_peer_certificate(statePtr->ssl); } else { peer = SSL_get_certificate(statePtr->ssl); } / Get X509 certificate info */ if (peer) { objPtr = Tls_NewX509Obj(interp, peer); if (objc == 2) { X509_free(peer); peer = NULL; }
︙
2130 2131 2132 2133 2134 2135 2136 ~~2137~~ 2138 2139 2140 2141 2142 2143 2144	1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935	- +	} /* Verify mode depth / LAPPEND_INT(interp, objPtr, "verifyDepth", SSL_get_verify_depth(statePtr->ssl)); / Report the selected protocol as a result of the negotiation / SSL_get0_alpn_selected(statePtr->ssl, &proto, &len); ~~LAPPEND_STR(interp, objPtr, "alpn", (char )proto, (~~Tcl_Size~~) len);~~ LAPPEND_STR(interp, objPtr, "alpn", (char )proto, (int) len); LAPPEND_STR(interp, objPtr, "protocol", SSL_get_version(statePtr->ssl), -1); / Valid for non-RSA signature and TLS 1.3 */ if (objc == 2) { res = SSL_get_peer_signature_nid(statePtr->ssl, &nid); } else { res = SSL_get_signature_nid(statePtr->ssl, &nid);
︙
2180 2181 2182 2183 2184 2185 2186 ~~2187~~ 2188 2189 2190 2191 2192 2193 2194	1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985	- +	const EVP_MD md; if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); return(TCL_ERROR); } ~~chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], ~~(Tcl_Size )~~NULL), NULL);~~ chan = Tcl_GetChannel(interp, Tcl_GetStringFromObj(objv[1], NULL), NULL); if (chan == (Tcl_Channel) NULL) { return(TCL_ERROR); } /* Make sure to operate on the topmost channel */ chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
︙
2213 2214 2215 2216 2217 2218 2219 ~~2220~~ 2221 2222 2223 2224 2225 2226 2227	2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018	- +	/* Get protocol / LAPPEND_STR(interp, objPtr, "protocol", SSL_get_version(ssl), -1); / Renegotiation allowed / LAPPEND_BOOL(interp, objPtr, "renegotiation_allowed", SSL_get_secure_renegotiation_support(ssl)); / Get security level / ~~LAPPEND_INT(interp, objPtr, "securitylevel", SSL_get_security_level(ssl));~~ LAPPEND_INT(interp, objPtr, "security_level", SSL_get_security_level(ssl)); / Session info / LAPPEND_BOOL(interp, objPtr, "session_reused", SSL_session_reused(ssl)); / Is server info */ LAPPEND_BOOL(interp, objPtr, "is_server", SSL_is_server(ssl));
︙
2260 2261 2262 2263 2264 2265 2266 ~~2267 2268 2269 2270~~ 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293 ~~2294~~ 2295 2296 2297 2298 ~~2299~~ 2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310 2311 2312 ~~2313~~ 2314 2315 2316 ~~2317~~ 2318 2319 2320 ~~2321~~ 2322 2323 2324 2325 2326 2327 ~~2328~~ 2329 2330 2331 ~~2332~~ 2333 2334 2335 2336 2337 2338 2339	2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128 2129 2130	- - - - + + + + - + - + - + - + - + - + - +	LAPPEND_STR(interp, objPtr, "keyExchangeNID", (char )OBJ_nid2ln(SSL_CIPHER_get_kx_nid(cipher)), -1); LAPPEND_STR(interp, objPtr, "authenticationNID", (char )OBJ_nid2ln(SSL_CIPHER_get_auth_nid(cipher)), -1); /* message authentication code - Cipher is AEAD (e.g. GCM or ChaCha20/Poly1305) or not / / Authenticated Encryption with associated data (AEAD) check / LAPPEND_BOOL(interp, objPtr, "cipher_is_aead", SSL_CIPHER_is_aead(cipher)); ~~/ Digest used during the SSL/TLS handshake when using the cipher. /~~ ~~md = SSL_CIPHER_get_handshake_digest(cipher);~~ ~~LAPPEND_STR(interp, objPtr, "handshake_digest", (char )EVP_MD_name(md), -1);~~ /* Get OpenSSL-specific ID, not IANA ID / LAPPEND_INT(interp, objPtr, "cipher_id", (int) SSL_CIPHER_get_id(cipher)); / Two-byte ID used in the TLS protocol of the given cipher / LAPPEND_INT(interp, objPtr, "protocol_id", (int) SSL_CIPHER_get_protocol_id(cipher)); / Textual description of the cipher / if (SSL_CIPHER_description(cipher, buf, sizeof(buf)) != NULL) { LAPPEND_STR(interp, objPtr, "description", buf, -1); } / Digest used during the SSL/TLS handshake when using the cipher. / md = SSL_CIPHER_get_handshake_digest(cipher); LAPPEND_STR(interp, objPtr, "handshake_digest", (char )EVP_MD_name(md), -1); } /* Session info / session = SSL_get_session(ssl); if (session != NULL) { const unsigned char ticket; size_t len2; unsigned int ulen; const unsigned char session_id, proto; char buffer[SSL_MAX_MASTER_KEY_LENGTH]; /* Report the selected protocol as a result of the ALPN negotiation / SSL_SESSION_get0_alpn_selected(session, &proto, &len2); ~~LAPPEND_STR(interp, objPtr, "alpn", (char ) proto, (~~Tcl_Size~~) len2);~~ LAPPEND_STR(interp, objPtr, "alpn", (char ) proto, (int) len2); / Report the selected protocol as a result of the NPN negotiation / #ifdef USE_NPN SSL_get0_next_proto_negotiated(ssl, &proto, &ulen); ~~LAPPEND_STR(interp, objPtr, "npn", (char ) proto, (~~Tcl_Size~~) ulen);~~ LAPPEND_STR(interp, objPtr, "npn", (char ) proto, (int) ulen); #endif / Resumable session / LAPPEND_BOOL(interp, objPtr, "resumable", SSL_SESSION_is_resumable(session)); / Session start time (seconds since epoch) / LAPPEND_LONG(interp, objPtr, "start_time", SSL_SESSION_get_time(session)); / Timeout value - SSL_CTX_get_timeout (in seconds) / LAPPEND_LONG(interp, objPtr, "timeout", SSL_SESSION_get_timeout(session)); / Session id - TLSv1.2 and below only / session_id = SSL_SESSION_get_id(session, &ulen); ~~LAPPEND_BARRAY(interp, objPtr, "session_id", session_id, (~~Tcl_Size~~) ulen);~~ LAPPEND_BARRAY(interp, objPtr, "session_id", session_id, (int) ulen); / Session context / session_id = SSL_SESSION_get0_id_context(session, &ulen); ~~LAPPEND_BARRAY(interp, objPtr, "session_context", session_id, (~~Tcl_Size~~) ulen);~~ LAPPEND_BARRAY(interp, objPtr, "session_context", session_id, (int) ulen); / Session ticket - client only / SSL_SESSION_get0_ticket(session, &ticket, &len2); ~~LAPPEND_BARRAY(interp, objPtr, "session_ticket", ticket, (~~Tcl_Size~~) len2);~~ LAPPEND_BARRAY(interp, objPtr, "session_ticket", ticket, (int) len2); / Session ticket lifetime hint (in seconds) / LAPPEND_LONG(interp, objPtr, "lifetime", SSL_SESSION_get_ticket_lifetime_hint(session)); / Ticket app data / SSL_SESSION_get0_ticket_appdata(session, &ticket, &len2); ~~LAPPEND_BARRAY(interp, objPtr, "ticket_app_data", ticket, (~~Tcl_Size~~) len2);~~ LAPPEND_BARRAY(interp, objPtr, "ticket_app_data", ticket, (int) len2); / Get master key / len2 = SSL_SESSION_get_master_key(session, buffer, SSL_MAX_MASTER_KEY_LENGTH); ~~LAPPEND_BARRAY(interp, objPtr, "master_key", buffer, (~~Tcl_Size~~) len2);~~ LAPPEND_BARRAY(interp, objPtr, "master_key", buffer, (int) len2); / Compression id / unsigned int id = SSL_SESSION_get_compress_id(session); LAPPEND_STR(interp, objPtr, "compression_id", id == 1 ? "zlib" : "none", -1); } / Compression info */
︙
2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 ~~2390 2391 2392 2393~~ ~~2394 2395 2396 2397 2398 2399 2400 2401 2402 2403 2404 2405 2406 2407 2408 2409 2410 2411 2412 2413 2414~~ 2415 ~~2416~~ 2417 2418 ~~2419 2420~~ 2421 2422 2423 2424 2425 2426 2427 2428 2429 2430 2431 2432 2433 2434 2435 2436 2437 2438 2439 ~~2440 2441~~ 2442 2443 2444 2445 2446 2447 2448	2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212	+ - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - +	/* CA List / / IF not a server, same as SSL_get0_peer_CA_list. If server same as SSL_CTX_get_client_CA_list / listPtr = Tcl_NewListObj(0, NULL); STACK_OF(X509_NAME) ca_list; if ((ca_list = SSL_get_client_CA_list(ssl)) != NULL) { char buffer[BUFSIZ]; for (int i = 0; i < sk_X509_NAME_num(ca_list); i++) { X509_NAME name = sk_X509_NAME_value(ca_list, i); if (name) { X509_NAME_oneline(name, buffer, BUFSIZ); Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(buffer, -1)); } } } LAPPEND_OBJ(interp, objPtr, "caList", listPtr); LAPPEND_INT(interp, objPtr, "caListCount", sk_X509_NAME_num(ca_list)); ~~~~Tcl_SetObjResult(interp, objPtr);~~ ~~return TCL_OK;~~ ~~clientData = clientData;~~ }~~ / ------------------------------------------------------------------- * VersionObjCmd -- return version string from OpenSSL. * * Results: * A standard Tcl result. * * Side effects: * None. * ------------------------------------------------------------------- / ~~static int~~ ~~VersionObjCmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) {~~ ~~Tcl_Obj objPtr;~~ ~~dprintf("Called");~~ ~~objPtr = Tcl_NewStringObj(OPENSSL_VERSION_TEXT, -1);~~ Tcl_SetObjResult(interp, objPtr); return TCL_OK; clientData = clientData; ~~objc = objc;~~ ~~objv = objv;~~ } / ------------------------------------------------------------------- * MiscObjCmd -- misc commands * * Results: * A standard Tcl result. * * Side effects: * None. * ------------------------------------------------------------------- / static int MiscObjCmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) { static const char *commands [] = { "req", "strreq", NULL }; enum command { C_REQ, C_STRREQ, C_DUMMY }; ~~~~Tcl_Size cmd;~~ int isStr;~~ int cmd, isStr; char buffer[16384]; dprintf("Called"); if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "subcommand ?args?"); return TCL_ERROR;
︙
2457 2458 2459 2460 2461 2462 2463 ~~2464~~ ~~2465~~ 2466 2467 2468 2469 2470 2471 2472	2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235	- + -	switch ((enum command) cmd) { case C_REQ: case C_STRREQ: { EVP_PKEY pkey=NULL; X509 cert=NULL; X509_NAME name=NULL; Tcl_Obj listv; ~~~~Tcl_Size~~ listc;~~ int listc,i; ~~int i;~~ BIO out=NULL; char k_C="",k_ST="",k_L="",k_O="",k_OU="",k_CN="",k_Email=""; char keyout,pemout,str; int keysize,serial=0,days=365;
︙
2489 2490 2491 2492 2493 2494 2495 ~~2496~~ 2497 2498 2499 2500 2501 2502 2503	2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262 2263 2264 2265 2266 2267	- + +	pemout=Tcl_GetString(objv[4]); if (isStr) { Tcl_SetVar(interp,keyout,"",0); Tcl_SetVar(interp,pemout,"",0); } if (objc>=6) { ~~if (Tcl_ListObjGetElements(interp, objv[5], ~~&listc, &listv) != TCL_OK) {~~~~ if (Tcl_ListObjGetElements(interp, objv[5], &listc, &listv) != TCL_OK) { return TCL_ERROR; } if ((listc%2) != 0) { Tcl_SetResult(interp,"Information list must have even number of arguments",NULL); return TCL_ERROR; }
︙
2769 2770 2771 2772 2773 2774 2775 ~~2776~~ 2777 2778 2779 ~~2780~~ 2781 2782 2783 2784 2785 ~~2786 2787 2788~~ 2789 2790 2791 2792 2793 2794 2795	2533 2534 2535 2536 2537 2538 2539 2540 2541 2542 2543 2544 2545 2546 2547 2548 2549 2550 2551 2552 2553 2554 2555 2556 2557 2558 2559	- + - + - - - + + +	#endif if (Tcl_PkgRequire(interp, "Tcl", "8.5-", 0) == NULL) { return TCL_ERROR; } #endif if (TlsLibInit(0) != TCL_OK) { ~~Tcl_AppendResult(interp, "could not initialize SSL library", ~~(char )~~ NULL);~~ Tcl_AppendResult(interp, "could not initialize SSL library", NULL); return TCL_ERROR; } ~~Tcl_CreateObjCommand(interp, "tls::ciphers", CiphersObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL);~~ Tcl_CreateObjCommand(interp, "tls::connection", ConnectionInfoObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::handshake", HandshakeObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::import", ImportObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::misc", MiscObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::unimport", UnimportObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); Tcl_CreateObjCommand(interp, "tls::status", StatusObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL); ~~Tcl_CreateObjCommand(interp, "tls::version", VersionObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL);~~ Tcl_Cre~~ateObj~~Command(interp~~, "tls::misc", MiscObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc ) NULL~~); Tcl_~~CreateObj~~Command(interp~~, "tls::protocols", ProtocolsObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL~~); Tls_DigestCommands(interp); Tls_InfoCommands(interp); if (interp) { Tcl_Eval(interp, tlsTclInitScript); } return Tcl_PkgProvide(interp, PACKAGE_NAME, PACKAGE_VERSION); }
︙

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 ~~23 24~~ 25 26 27 28 29 30 31	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30	- + - + - - +	/* * Copyright (C) 1997-2000 Matt Newman <[email protected]> * * Provides BIO layer to interface openssl to Tcl. / #include "tlsInt.h" static int BioWrite(BIO bio, const char buf, int bufLen) { Tcl_Channel chan; ~~~~Tcl_Size~~ ret;~~ int ret; int tclEofChan, tclErrno; chan = Tls_GetParent((State ) BIO_get_data(bio), 0); dprintf("[chan=%p] BioWrite(%p, <buf>, %d)", (void )chan, (void ) bio, bufLen); ~~ret = Tcl_WriteRaw(chan, buf, ~~(Tcl_Size)~~ bufLen);~~ ret = (int) Tcl_WriteRaw(chan, buf, bufLen); tclEofChan = Tcl_Eof(chan); tclErrno = Tcl_GetErrno(); ~~~~dprintf("[chan=%p] BioWrite(%d) -> %" TCL_SIZE_MODIFIER "d [tclEof=%d; tclErrno=%d]",~~ (void ) chan, bufLen, ret, tclEofChan, Tcl_GetErrno());~~ dprintf("[chan=%p] BioWrite(%d) -> %d [tclEof=%d; tclErrno=%d]", (void ) chan, bufLen, ret, tclEofChan, Tcl_GetErrno()); BIO_clear_flags(bio, BIO_FLAGS_WRITE \| BIO_FLAGS_SHOULD_RETRY); if (tclEofChan && ret <= 0) { dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF"); Tcl_SetErrno(ECONNRESET); ret = 0;
︙
51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 ~~79 80~~ 81 82 83 84 85 86 87	50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85	- + - + - - +	if (ret != -1 \|\| (ret == -1 && tclErrno == EAGAIN)) { if (BIO_should_read(bio)) { dprintf("Setting should retry read flag"); BIO_set_retry_read(bio); } } ~~return(~~(int)~~ ret);~~ return(ret); } static int BioRead(BIO bio, char buf, int bufLen) { Tcl_Channel chan; Tcl_Size ret = 0; int tclEofChan, tclErrno; chan = Tls_GetParent((State ) BIO_get_data(bio), 0); dprintf("[chan=%p] BioRead(%p, <buf>, %d)", (void ) chan, (void ) bio, bufLen); if (buf == NULL) { return 0; } ~~ret = Tcl_ReadRaw(chan, buf, ~~(Tcl_Size)~~ bufLen);~~ ret = Tcl_ReadRaw(chan, buf, bufLen); tclEofChan = Tcl_Eof(chan); tclErrno = Tcl_GetErrno(); ~~~~dprintf("[chan=%p] BioRead(%d) -> %" TCL_SIZE_MODIFIER "d [tclEof=%d; tclErrno=%d]",~~ (void ) chan, bufLen, ret, tclEofChan, tclErrno);~~ dprintf("[chan=%p] BioRead(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, tclErrno); BIO_clear_flags(bio, BIO_FLAGS_READ \| BIO_FLAGS_SHOULD_RETRY); if (tclEofChan && ret <= 0) { dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF"); Tcl_SetErrno(ECONNRESET); ret = 0;
︙
108 109 110 111 112 113 114 ~~115~~ ~~116~~ 117 ~~118~~ 119 120 121 122 123 124 125	106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122	- + - - +	if (BIO_should_write(bio)) { dprintf("Setting should retry write flag"); BIO_set_retry_write(bio); } } ~~dprintf("BioRead(%p, <buf>, %d) [%p] returning %~~" TCL_SIZE_MODIFIER "d~~", (void ) bio,~~ dprintf("BioRead(%p, <buf>, %d) [%p] returning %i", (void ) bio, bufLen, (void ) chan, ret); ~~bufLen, (void ) chan, ret);~~ ~~return(~~(int)~~ ret);~~ return(ret); } static int BioPuts(BIO bio, const char str) { dprintf("BioPuts(%p, <string:%p>) called", bio, str); return BioWrite(bio, str, (int) strlen(str)); }
︙

︙
159 160 161 162 163 164 165 ~~166~~ 167 168 169 170 171 172 173	159 160 161 162 163 164 165 166 167 168 169 170 171 172 173	- +	dprintf("Flushing the lower layers failed, this will probably terminate this session"); } } rc = SSL_get_error(statePtr->ssl, err); dprintf("Got error: %i (rc = %i)", err, rc); ~~dprintf("Got error: %s", E~~RR_reason_error_string(ERR_get_error()~~));~~ dprintf("Got error: %s", REASON()); bioShouldRetry = 0; if (err <= 0) { if (rc == SSL_ERROR_WANT_CONNECT \|\| rc == SSL_ERROR_WANT_ACCEPT \|\| rc == SSL_ERROR_WANT_READ \|\| rc == SSL_ERROR_WANT_WRITE) { bioShouldRetry = 1; } else if (BIO_should_retry(statePtr->bio)) { bioShouldRetry = 1;
︙
230 231 232 233 234 235 236 ~~237~~ 238 239 240 241 242 243 244	230 231 232 233 234 235 236 237 238 239 240 241 242 243 244	- +	} statePtr->flags \|= TLS_TCL_HANDSHAKE_FAILED; return(-1); case SSL_ERROR_SSL: dprintf("Got permanent fatal SSL error, aborting immediately"); ~~Tls_Error(statePtr, (char )E~~RR_reason_error_string(ERR_get_error()~~));~~ Tls_Error(statePtr, (char )REASON()); statePtr->flags \|= TLS_TCL_HANDSHAKE_FAILED; *errorCodePtr = ECONNABORTED; return(-1); case SSL_ERROR_WANT_CONNECT: case SSL_ERROR_WANT_ACCEPT: case SSL_ERROR_WANT_X509_LOOKUP:
︙

︙
38 39 40 41 42 43 44 45 ~~46 47 48 49~~ 50 51 52 53 54 55 56	38 39 40 41 42 43 44 45 46 47 48 49 50 51 52	- + - - - -	# endif #endif /* * Backwards compatibility for size type change */ #if TCL_MAJOR_VERSION < 9 && TCL_MINOR_VERSION < 7 ~~~~#ifn~~def Tcl_Size~~ # define Tcl_Size int ~~typedef int Tcl_Size;~~ ~~#endif~~ ~~#define TCL_SIZE_MODIFIER ""~~ #endif #include <openssl/ssl.h> #include <openssl/err.h> #include <openssl/rand.h> #include <openssl/opensslv.h>
︙
100 101 102 103 104 105 106 107 108 109 110 111 112 113	96 97 98 99 100 101 102 103 104 105 106 107 108 109 110	+	#else #define dprintf(...) if (0) { fprintf(stderr, __VA_ARGS__); } #define dprintBuffer(bufferName, bufferLength) // #define dprintFlags(statePtr) // #endif #define TCLTLS_SSL_ERROR(ssl,err) ((char)ERR_reason_error_string((unsigned long)SSL_get_error((ssl),(err)))) #define REASON() ERR_reason_error_string(ERR_get_error()) / Common list append macros */ #define LAPPEND_BARRAY(interp, obj, text, value, size) {\ if (text != NULL) Tcl_ListObjAppendElement(interp, obj, Tcl_NewStringObj(text, -1)); \ Tcl_ListObjAppendElement(interp, obj, Tcl_NewByteArrayObj(value, size)); \ } #define LAPPEND_STR(interp, obj, text, value, size) {\
︙
194 195 196 197 198 199 200 201 202 203 204 205 206	191 192 193 194 195 196 197 198 199 200 201 202 203 204 205	+ +	Tcl_Obj Tls_NewX509Obj(Tcl_Interp interp, X509 cert); Tcl_Obj Tls_NewCAObj(Tcl_Interp interp, const SSL ssl, int peer); void Tls_Error(State statePtr, char msg); void Tls_Free(char blockPtr); void Tls_Clean(State statePtr); int Tls_WaitForConnect(State statePtr, int errorCodePtr, int handshakeFailureIsPermanent); int Tls_DigestCommands(Tcl_Interp interp); int Tls_InfoCommands(Tcl_Interp interp); BIO BIO_new_tcl(State statePtr, int flags); #define PTR2INT(x) ((int) ((intptr_t) (x))) #endif /* _TLSINT_H */

︙
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36	16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40	- + + + + - + + - +	/* Define maximum certificate size. Max PEM size 100kB and DER size is 24kB. / #define CERT_STR_SIZE 32768 / * Binary string to hex string / ~~int String_to_Hex(char input, int ilen, char output, int olen) {~~ int String_to_Hex(unsigned char input, int ilen, unsigned char output, int olen) { int count = 0; unsigned char iptr = input; unsigned char optr = &output[0]; const char hex = "0123456789abcdef"; for (int i = 0; i < ilen && count < olen - 1; i++, count += 2) { ~~sprintf(output + count, "%02X", input[i] & 0xff);~~ optr++ = hex[(iptr>>4)&0xF]; optr++ = hex[(iptr++)&0xF]; } ~~~~output[count]~~ = 0;~~ optr = 0; return count; } / * BIO to Buffer / int BIO_to_Buffer(int result, BIO bio, void *buffer, int size) {
︙
75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92	79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96	- + - +	/ Tcl_Obj Tls_x509Identifier(ASN1_OCTET_STRING astring) { Tcl_Obj resultPtr = NULL; int len = 0; char buffer[1024]; if (astring != NULL) { ~~len = String_to_Hex(~~(char )~~ASN1_STRING_get0_data(astring),~~ len = String_to_Hex(ASN1_STRING_get0_data(astring), ASN1_STRING_length(astring), buffer, 1024); } ~~resultPtr = Tcl_NewStringObj(buffer, ~~(Tcl_Size)~~ len);~~ resultPtr = Tcl_NewStringObj(buffer, len); return resultPtr; } / * Get Key Usage / Tcl_Obj Tls_x509KeyUsage(Tcl_Interp interp, X509 cert, uint32_t xflags) {
︙
200 201 202 203 204 205 206 ~~207~~ 208 209 210 211 212 213 214	204 205 206 207 208 209 210 211 212 213 214 215 216 217 218	- +	} if (names = X509_get_ext_d2i(cert, nid, NULL, NULL)) { for (int i=0; i < sk_GENERAL_NAME_num(names); i++) { const GENERAL_NAME name = sk_GENERAL_NAME_value(names, i); len = BIO_to_Buffer(name && GENERAL_NAME_print(bio, name), bio, buffer, 1024); ~~LAPPEND_STR(interp, listPtr, NULL, buffer, ~~(Tcl_Size)~~ len);~~ LAPPEND_STR(interp, listPtr, NULL, buffer, len); } sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); } return listPtr; } /
︙
277 278 279 280 281 282 283 ~~284~~ 285 286 287 288 289 290 291 292 ~~293~~ 294 295 296 297 298 299 300	281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304	- + - +	if (distpoint->type == 0) { /* full-name GENERALIZEDNAME / for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) { GENERAL_NAME gen = sk_GENERAL_NAME_value(distpoint->name.fullname, j); int type; ASN1_STRING uri = GENERAL_NAME_get0_value(gen, &type); if (type == GEN_URI) { ~~LAPPEND_STR(interp, listPtr, NULL, ASN1_STRING_get0_data(uri), ~~(Tcl_Size)~~ ASN1_STRING_length(uri));~~ LAPPEND_STR(interp, listPtr, NULL, ASN1_STRING_get0_data(uri), ASN1_STRING_length(uri)); } } } else if (distpoint->type == 1) { / relative-name X509NAME / STACK_OF(X509_NAME_ENTRY) sk_relname = distpoint->name.relativename; for (int j = 0; j < sk_X509_NAME_ENTRY_num(sk_relname); j++) { X509_NAME_ENTRY e = sk_X509_NAME_ENTRY_value(sk_relname, j); ASN1_STRING d = X509_NAME_ENTRY_get_data(e); ~~LAPPEND_STR(interp, listPtr, NULL, ASN1_STRING_data(d), ~~(Tcl_Size)~~ ASN1_STRING_length(d));~~ LAPPEND_STR(interp, listPtr, NULL, ASN1_STRING_data(d), ASN1_STRING_length(d)); } } } CRL_DIST_POINTS_free(crl); } return listPtr; }
︙
331 332 333 334 335 336 337 ~~338~~ 339 340 341 342 343 344 345	335 336 337 338 339 340 341 342 343 344 345 346 347 348 349	- +	if (ads = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL)) { for (int i = 0; i < sk_ACCESS_DESCRIPTION_num(ads); i++) { ad = sk_ACCESS_DESCRIPTION_value(ads, i); if (OBJ_obj2nid(ad->method) == NID_ad_ca_issuers && ad->location) { if (ad->location->type == GEN_URI) { len = ASN1_STRING_to_UTF8(&buf, ad->location->d.uniformResourceIdentifier); ~~Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(buf, ~~(Tcl_Size)~~ len));~~ Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(buf, len)); OPENSSL_free(buf); break; } } } /* sk_ACCESS_DESCRIPTION_pop_free(ads, ACCESS_DESCRIPTION_free); */ AUTHORITY_INFO_ACCESS_free(ads);
︙
391 392 393 394 395 396 397 ~~398~~ 399 400 401 402 403 404 405 ~~406~~ 407 408 409 410 411 412 413 ~~414~~ 415 416 417 418 419 ~~420~~ 421 422 423 ~~424~~ 425 426 427 428 ~~429~~ 430 431 432 ~~433 434~~ 435 436 437 438 ~~439 440~~ 441 442 443 444 445 446 447 448 449 450 451 452 453 454 ~~455~~ 456 457 458 459 460 ~~461~~ 462 463 464 465 466 467 ~~468~~ 469 470 471 472 473 474 475 476 477 478 ~~479~~ 480 481 482 483 484 485 486 487 488 489 ~~490~~ 491 492 493 ~~494~~ 495 496 497 498 499 500 ~~501~~ 502 503 504 505 506 507 508 509 510 511 512 513 514 ~~515~~ 516 517 518 519 520 521 522	395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526	- + - + - + - + - + - + - - + + - - + + - + - + - + - + - + - + - + - +	int sig_nid; X509_get0_signature(&sig, &sig_alg, cert); /* sig_nid = X509_get_signature_nid(cert) / sig_nid = OBJ_obj2nid(sig_alg->algorithm); LAPPEND_STR(interp, certPtr, "signatureAlgorithm", OBJ_nid2ln(sig_nid), -1); len = (sig_nid != NID_undef) ? String_to_Hex(sig->data, sig->length, buffer, BUFSIZ) : 0; ~~LAPPEND_STR(interp, certPtr, "signatureValue", buffer, ~~(Tcl_Size)~~ len);~~ LAPPEND_STR(interp, certPtr, "signatureValue", buffer, len); } / Version of the encoded certificate - RFC 5280 section 4.1.2.1 / LAPPEND_LONG(interp, certPtr, "version", X509_get_version(cert)+1); / Unique number assigned by CA to certificate - RFC 5280 section 4.1.2.2 / len = BIO_to_Buffer(i2a_ASN1_INTEGER(bio, X509_get0_serialNumber(cert)), bio, buffer, BUFSIZ); ~~LAPPEND_STR(interp, certPtr, "serialNumber", buffer, ~~(Tcl_Size)~~ len);~~ LAPPEND_STR(interp, certPtr, "serialNumber", buffer, len); / Signature algorithm used by the CA to sign the certificate. Must match signatureAlgorithm. RFC 5280 section 4.1.2.3 / LAPPEND_STR(interp, certPtr, "signature", OBJ_nid2ln(X509_get_signature_nid(cert)), -1); / Issuer identifies the entity that signed and issued the cert. RFC 5280 section 4.1.2.4 / len = BIO_to_Buffer(X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0, flags), bio, buffer, BUFSIZ); ~~LAPPEND_STR(interp, certPtr, "issuer", buffer, ~~(Tcl_Size)~~ len);~~ LAPPEND_STR(interp, certPtr, "issuer", buffer, len); / Certificate validity period is the interval the CA warrants that it will maintain info on the status of the certificate. RFC 5280 section 4.1.2.5 / / Get Validity - Not Before / len = BIO_to_Buffer(ASN1_TIME_print(bio, X509_get0_notBefore(cert)), bio, buffer, BUFSIZ); ~~LAPPEND_STR(interp, certPtr, "notBefore", buffer, ~~(Tcl_Size)~~ len);~~ LAPPEND_STR(interp, certPtr, "notBefore", buffer, len); / Get Validity - Not After / len = BIO_to_Buffer(ASN1_TIME_print(bio, X509_get0_notAfter(cert)), bio, buffer, BUFSIZ); ~~LAPPEND_STR(interp, certPtr, "notAfter", buffer, ~~(Tcl_Size)~~ len);~~ LAPPEND_STR(interp, certPtr, "notAfter", buffer, len); / Subject identifies the entity associated with the public key stored in the subject public key field. RFC 5280 section 4.1.2.6 / len = BIO_to_Buffer(X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, flags), bio, buffer, BUFSIZ); ~~LAPPEND_STR(interp, certPtr, "subject", buffer, ~~(Tcl_Size)~~ len);~~ LAPPEND_STR(interp, certPtr, "subject", buffer, len); / SHA1 Digest (Fingerprint) of cert - DER representation / if (X509_digest(cert, EVP_sha1(), md, &len)) { ~~len = String_to_Hex(md, len, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "sha1_hash", buffer, ~~(Tcl_Size)~~ len);~~ len = String_to_Hex(md, len, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "sha1_hash", buffer, len); } / SHA256 Digest (Fingerprint) of cert - DER representation / if (X509_digest(cert, EVP_sha256(), md, &len)) { ~~len = String_to_Hex(md, len, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "sha256_hash", buffer, ~~(Tcl_Size)~~ len);~~ len = String_to_Hex(md, len, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "sha256_hash", buffer, len); } / Subject Public Key Info specifies the public key and identifies the algorithm with which the key is used. RFC 5280 section 4.1.2.7 / if (X509_get_signature_info(cert, &mdnid, &pknid, &bits, &xflags)) { ASN1_BIT_STRING key; unsigned int n; LAPPEND_STR(interp, certPtr, "signingDigest", OBJ_nid2ln(mdnid), -1); LAPPEND_STR(interp, certPtr, "publicKeyAlgorithm", OBJ_nid2ln(pknid), -1); LAPPEND_INT(interp, certPtr, "bits", bits); /* Effective security bits / key = X509_get0_pubkey_bitstr(cert); len = String_to_Hex(key->data, key->length, buffer, BUFSIZ); ~~LAPPEND_STR(interp, certPtr, "publicKey", buffer, ~~(Tcl_Size)~~ len);~~ LAPPEND_STR(interp, certPtr, "publicKey", buffer, len); len = 0; if (X509_pubkey_digest(cert, EVP_get_digestbynid(pknid), md, &n)) { len = String_to_Hex(md, (int)n, buffer, BUFSIZ); } ~~LAPPEND_STR(interp, certPtr, "publicKeyHash", buffer, ~~(Tcl_Size)~~ len);~~ LAPPEND_STR(interp, certPtr, "publicKeyHash", buffer, len); / digest of the DER representation of the certificate / len = 0; if (X509_digest(cert, EVP_get_digestbynid(mdnid), md, &n)) { len = String_to_Hex(md, (int)n, buffer, BUFSIZ); } ~~LAPPEND_STR(interp, certPtr, "signatureHash", buffer, ~~(Tcl_Size)~~ len);~~ LAPPEND_STR(interp, certPtr, "signatureHash", buffer, len); } / Certificate Purpose. Call before checking for extensions. / LAPPEND_STR(interp, certPtr, "purpose", Tls_x509Purpose(cert), -1); LAPPEND_OBJ(interp, certPtr, "certificatePurpose", Tls_x509Purposes(interp, cert)); / Get extensions flags / xflags = X509_get_extension_flags(cert); LAPPEND_INT(interp, certPtr, "extFlags", xflags); ~~/ Check if cert was issued by CA cert issuer or self signed /~~ / Check if cert was issued by CA cert issuer or self signed / LAPPEND_BOOL(interp, certPtr, "selfIssued", xflags & EXFLAG_SI); LAPPEND_BOOL(interp, certPtr, "selfSigned", xflags & EXFLAG_SS); LAPPEND_BOOL(interp, certPtr, "isProxyCert", xflags & EXFLAG_PROXY); LAPPEND_BOOL(interp, certPtr, "extInvalid", xflags & EXFLAG_INVALID); LAPPEND_BOOL(interp, certPtr, "isCACert", X509_check_ca(cert)); / The Unique Ids are used to handle the possibility of reuse of subject and/or issuer names over time. RFC 5280 section 4.1.2.8 / { const ASN1_BIT_STRING iuid, suid; ~~X509_get0_uids(cert, &iuid, &suid);~~ X509_get0_uids(cert, &iuid, &suid); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("issuerUniqueId", -1)); if (iuid != NULL) { ~~Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((char )iuid->data, ~~(Tcl_Size)~~ iuid->length));~~ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((char )iuid->data, iuid->length)); } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); } Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectUniqueId", -1)); if (suid != NULL) { ~~Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((char )suid->data, ~~(Tcl_Size)~~ suid->length));~~ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((char )suid->data, suid->length)); } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); } } / X509 v3 Extensions - RFC 5280 section 4.1.2.9 / LAPPEND_INT(interp, certPtr, "extCount", X509_get_ext_count(cert)); LAPPEND_OBJ(interp, certPtr, "extensions", Tls_x509Extensions(interp, cert)); / Authority Key Identifier (AKI) is the Subject Key Identifier (SKI) of its signer (the CA). RFC 5280 section 4.2.1.1, NID_authority_key_identifier / LAPPEND_OBJ(interp, certPtr, "authorityKeyIdentifier", Tls_x509Identifier(X509_get0_authority_key_id(cert))); / Subject Key Identifier (SKI) is used to identify certificates that contain a particular public key. RFC 5280 section 4.2.1.2, NID_subject_key_identifier / LAPPEND_OBJ(interp, certPtr, "subjectKeyIdentifier", Tls_x509Identifier(X509_get0_subject_key_id(cert))); / Key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key in the certificate. RFC 5280 section 4.2.1.3, NID_key_usage */
︙
581 582 583 584 585 586 587 ~~588~~ 589 590 591 592 593 594 595 596 ~~597~~ 598 599 600 ~~601~~ 602 603 604 605 606	585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610	- + - + - +	/* Subject Information Access - RFC 5280 section 4.2.2.2, NID_sinfo_access / / Certificate Alias. If uses a PKCS#12 structure, alias will reflect the friendlyName attribute (RFC 2985). / { len = 0; char string = X509_alias_get0(cert, &len); ~~LAPPEND_STR(interp, certPtr, "alias", string, ~~(Tcl_Size)~~ len);~~ LAPPEND_STR(interp, certPtr, "alias", string, len); } /* Certificate and dump all data / { char certStr[CERT_STR_SIZE]; / Get certificate / len = BIO_to_Buffer(PEM_write_bio_X509(bio, cert), bio, certStr, CERT_STR_SIZE); ~~LAPPEND_STR(interp, certPtr, "certificate", certStr, ~~(Tcl_Size)~~ len);~~ LAPPEND_STR(interp, certPtr, "certificate", certStr, len); / Get all cert info */ len = BIO_to_Buffer(X509_print_ex(bio, cert, flags, 0), bio, certStr, CERT_STR_SIZE); ~~LAPPEND_STR(interp, certPtr, "all", certStr, ~~(Tcl_Size)~~ len);~~ LAPPEND_STR(interp, certPtr, "all", certStr, len); } BIO_free(bio); return certPtr; }