Changes In Branch dh Through [d3319fd18b] Excluding Merge-Ins
This is equivalent to a diff from c498845865 to d3319fd18b
|
2023-12-29
| ||
| 03:09 | Merged in dh branch check-in: 594dfd3195 user: bohagan tags: trunk | |
| 00:46 | Use env var for OpenSSL executable path. Source: https://core.tcl-lang.org/tcltls/tktview/034c8d2587 check-in: e63b467c48 user: bohagan tags: dh | |
|
2023-12-28
| ||
| 23:15 | Refactored DH generation to not need a separate file for DH data. Added missing header files to generated file. check-in: d3319fd18b user: bohagan tags: dh | |
| 21:27 | DH Changes for OpenSSL 3.0 Source: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275160 and https://cgit.freebsd.org/ports/tree/devel/tcltls/files/dh_params.h?id=2ed62c75d1230bbe8268a1a3c54de2972d50dcf8 check-in: 54c35183c2 user: bohagan tags: dh | |
| 20:01 | Created DH branch check-in: 22f9df2429 user: bohagan tags: dh | |
|
2023-12-21
| ||
| 20:15 | Merged in master changes check-in: 265ace08fe user: bohagan tags: crypto | |
| 19:56 | Optimized Init stub load and package require. Use general pkhIndex.tcl file. check-in: c498845865 user: bohagan tags: trunk | |
|
2023-12-11
| ||
| 10:37 | Updated to latest tclconfig changes check-in: 98e3157245 user: bohagan tags: trunk | |
Modified generic/gen_dh_params from [90177a1658] to [791deedc56].
| ︙ | ︙ | |||
9 10 11 12 13 14 15 |
;;
bits=*)
bits="`echo "${arg}" | cut -f 2 -d =`"
;;
esac
done
| | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | | > > | 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 |
;;
bits=*)
bits="`echo "${arg}" | cut -f 2 -d =`"
;;
esac
done
openssl_dhparam1() {
if openssl dhparam -C "$@" | sed \
-e 's/^\(static \)*DH \*get_dh[0-9]*/static DH *get_dhParams/' \
-e '/^-----BEGIN DH PARAMETERS-----$/,/^-----END DH PARAMETERS-----$/ d;/^#/ d'
then
return 0
fi
return 1
}
# OpenSSL 3.0 openssl-dhparam has no "-C" option, so we emulate it here
openssl_dhparam3() {
cat << \_EOF_
#include <openssl/dh.h>
#include <openssl/bn.h>
static DH *get_dhParams(void) {
static unsigned char dhp[] = {
_EOF_
openssl dhparam -text "$@" | \
sed -E -e '/^---/,/^---/d' \
-e '/(DH|prime|generator|P|G|recommended)/d' \
-e 's/([0-9a-h]{2})(:|$$)/0x\1, /g'
cat << \_EOF_
};
static unsigned char dhg[] = {
0x02,
};
DH *dh = DH_new();;
BIGNUM *p, *g;
if (dh == NULL) {
return NULL;
}
p = BN_bin2bn(dhp, sizeof (dhp), NULL);
g = BN_bin2bn(dhg, sizeof (dhg), NULL);
if (p == NULL || g == NULL || !DH_set0_pqg(dh, p, NULL, g)) {
DH_free(dh);
BN_free(p);
BN_free(g);
return(NULL);
}
return dh;
}
_EOF_
return 0
}
gen_dh_params_openssl() {
openssl_dhparam3 "${bits}" < /dev/null || return 1
return 0
}
gen_dh_params_remote() {
url="https://2ton.com.au/dhparam/${bits}"
r_input="`curl -sS "${url}"`" || \
r_input="`wget -O - -o /dev/null "${url}"`" || return 1
if r_output="`echo "${r_input}" | openssl_dhparam1`"; then
echo "${r_output}"
return 0
fi
return 1
}
gen_dh_params_fallback() {
cat << \_EOF_
#include <openssl/dh.h>
#include <openssl/bn.h>
DH *get_dhParams(void) {
static unsigned char dhp[] = {
_EOF_
case "${bits}" in
2048)
cat << \_EOF_
0xC1,0x51,0x58,0x69,0xFB,0xE8,0x6C,0x47,0x2B,0x86,0x61,0x4F,
|
| ︙ | ︙ | |||
266 267 268 269 270 271 272 | echo "*****************************" >&2 echo "** Generating DH Primes. **" >&2 echo "** This will take a while. **" >&2 echo "*****************************" >&2 echo "Use OpenSSL" >&2 gen_dh_params_openssl && exit 0 | | | | 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 |
echo "*****************************" >&2
echo "** Generating DH Primes. **" >&2
echo "** This will take a while. **" >&2
echo "*****************************" >&2
echo "Use OpenSSL" >&2
gen_dh_params_openssl && exit 0
#echo "Use Remote" >&2
#gen_dh_params_remote && exit 0
echo "Use fallback" >&2
gen_dh_params_fallback && exit 0
echo "Unable to generate parameters for DH of ${bits} bits" >&2
exit 1
|
Modified generic/tls.c from [42a5997f51] to [7c1b9c1884].
| ︙ | ︙ | |||
1324 1325 1326 1327 1328 1329 1330 |
OPTBYTE("-key", key, key_len);
OPTSTR("-keyfile", keyfile);
OPTSTR("-model", model);
OPTOBJ("-password", password);
OPTBOOL("-post_handshake", post_handshake);
OPTBOOL("-request", request);
OPTBOOL("-require", require);
| | | | 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 |
OPTBYTE("-key", key, key_len);
OPTSTR("-keyfile", keyfile);
OPTSTR("-model", model);
OPTOBJ("-password", password);
OPTBOOL("-post_handshake", post_handshake);
OPTBOOL("-request", request);
OPTBOOL("-require", require);
OPTINT("-securitylevel", level);
OPTBOOL("-server", server);
OPTSTR("-servername", servername);
OPTSTR("-session_id", session_id);
OPTBOOL("-ssl2", ssl2);
OPTBOOL("-ssl3", ssl3);
OPTBOOL("-tls1", tls1);
OPTBOOL("-tls1.1", tls1_1);
OPTBOOL("-tls1.2", tls1_2);
OPTBOOL("-tls1.3", tls1_3);
OPTOBJ("-validatecommand", vcmd);
OPTOBJ("-vcmd", vcmd);
OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -securitylevel, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand");
return TCL_ERROR;
}
if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER;
if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
if (request && post_handshake) verify |= SSL_VERIFY_POST_HANDSHAKE;
if (verify == 0) verify = SSL_VERIFY_NONE;
|
| ︙ | ︙ |