Changes On Branch e63b467c48f0e7a7

Changes In Branch dh Through [e63b467c48] Excluding Merge-Ins

This is equivalent to a diff from c498845865 to e63b467c48

2023-12-29
03:09
Merged in dh branch check-in: 594dfd3195 user: bohagan tags: trunk
03:09
Updated to auto set DH parameters. Updated to use well known Diffie-Hellman (DH) parameters that have built-in support in OpenSSL. This means the DH parameters will be selected to be consistent with the size of the key associated with the server's certificate. If there is no certificate (e.g. for PSK ciphersuites), then it it will be consistent with the size of the negotiated symmetric cipher key. Leaf check-in: d3d16ea77f user: bohagan tags: dh
00:46
Use env var for OpenSSL executable path. Source: https://core.tcl-lang.org/tcltls/tktview/034c8d2587 check-in: e63b467c48 user: bohagan tags: dh
2023-12-28
23:15
Refactored DH generation to not need a separate file for DH data. Added missing header files to generated file. check-in: d3319fd18b user: bohagan tags: dh
20:01
Created DH branch check-in: 22f9df2429 user: bohagan tags: dh
2023-12-21
20:15
Merged in master changes check-in: 265ace08fe user: bohagan tags: crypto
19:56
Optimized Init stub load and package require. Use general pkhIndex.tcl file. check-in: c498845865 user: bohagan tags: trunk
2023-12-11
10:37
Updated to latest tclconfig changes check-in: 98e3157245 user: bohagan tags: trunk

Modified generic/gen_dh_params from [90177a1658] to [6e6f58d906].

9
10
11
12
13
14
15
16





17
18
19
20
21
22
23
24
25
26





















































27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48


49
50
51
52
53
54
55
			;;
		bits=*)
			bits="`echo "${arg}" | cut -f 2 -d =`"
			;;
	esac
done

openssl_dhparam() {





	if openssl dhparam -C "$@" | sed	\
	    -e 's/^\(static \)*DH \*get_dh[0-9]*/static DH *get_dhParams/'	\
	    -e '/^-----BEGIN DH PARAMETERS-----$/,/^-----END DH PARAMETERS-----$/ d;/^#/ d'
	then
		return 0
	fi

	return 1
}






















































gen_dh_params_openssl() {
	openssl_dhparam "${bits}" < /dev/null || return 1
	return 0
}

gen_dh_params_remote() {
	url="https://2ton.com.au/dhparam/${bits}"

	r_input="`curl -sS "${url}"`" || \
		r_input="`wget -O - -o /dev/null "${url}"`" || return 1

	if r_output="`echo "${r_input}" | openssl_dhparam`"; then
		echo "${r_output}"

		return 0
	fi

	return 1
}

gen_dh_params_fallback() {
	cat << \_EOF_


DH *get_dhParams(void) {
	static unsigned char dhp[] = {
_EOF_
	case "${bits}" in
		2048)
			cat << \_EOF_
		0xC1,0x51,0x58,0x69,0xFB,0xE8,0x6C,0x47,0x2B,0x86,0x61,0x4F,







|
>
>
>
>
>
|









>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

|









|










>
>







9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
			;;
		bits=*)
			bits="`echo "${arg}" | cut -f 2 -d =`"
			;;
	esac
done

openssl_dhparam1() {
	dir=''
	if [ -n "${OPENSSL}" ]; then
	    dir="${OPENSSL}/"
	fi

	if ${dir}openssl dhparam -C "$@" | sed	\
	    -e 's/^\(static \)*DH \*get_dh[0-9]*/static DH *get_dhParams/'	\
	    -e '/^-----BEGIN DH PARAMETERS-----$/,/^-----END DH PARAMETERS-----$/ d;/^#/ d'
	then
		return 0
	fi

	return 1
}

# OpenSSL 3.0 openssl-dhparam has no "-C" option, so we emulate it here
openssl_dhparam3() {
	dir=''
	if [ -n "${OPENSSL}" ]; then
	    dir="${OPENSSL}/"
	fi

	cat << \_EOF_
#include <openssl/dh.h>
#include <openssl/bn.h>
static DH *get_dhParams(void) {
	static unsigned char dhp[] = {
_EOF_

	if ${dir}openssl dhparam -text "$@" | \
	    sed -E -e '/^---/,/^---/d' \
		-e '/(DH|prime|generator|P|G|recommended)/d' \
		-e 's/([0-9a-h]{2})(:|$$)/0x\1, /g'
	then
		break
	else
		return 1
	fi

	cat << \_EOF_
	};
	static unsigned char dhg[] = {
		0x02,
	};

	DH *dh = DH_new();;
	BIGNUM *p, *g;

	if (dh == NULL) {
		return NULL;
	}

	p = BN_bin2bn(dhp, sizeof (dhp), NULL);
	g = BN_bin2bn(dhg, sizeof (dhg), NULL);

	if (p == NULL || g == NULL || !DH_set0_pqg(dh, p, NULL, g)) {
		DH_free(dh);
		BN_free(p);
		BN_free(g);
		return(NULL);
	}
	return dh;
}
_EOF_

	return 0
}

gen_dh_params_openssl() {
	openssl_dhparam3 "${bits}" < /dev/null || return 1
	return 0
}

gen_dh_params_remote() {
	url="https://2ton.com.au/dhparam/${bits}"

	r_input="`curl -sS "${url}"`" || \
		r_input="`wget -O - -o /dev/null "${url}"`" || return 1

	if r_output="`echo "${r_input}" | openssl_dhparam1`"; then
		echo "${r_output}"

		return 0
	fi

	return 1
}

gen_dh_params_fallback() {
	cat << \_EOF_
#include <openssl/dh.h>
#include <openssl/bn.h>
DH *get_dhParams(void) {
	static unsigned char dhp[] = {
_EOF_
	case "${bits}" in
		2048)
			cat << \_EOF_
		0xC1,0x51,0x58,0x69,0xFB,0xE8,0x6C,0x47,0x2B,0x86,0x61,0x4F,
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
	if (dh == NULL) {
		return NULL;
	}

	dhp_bn = BN_bin2bn(dhp, sizeof (dhp), NULL);
	dhg_bn = BN_bin2bn(dhg, sizeof (dhg), NULL);

#ifdef TCLTLS_OPENSSL_PRE_1_1_API
	dh->p = dhp_bn;
	dh->g = dhg_bn;

	if (dhp_bn == NULL || dhg_bn == NULL) {
#else
	if (dhp_bn == NULL || dhg_bn == NULL || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
#endif
		DH_free(dh);
		BN_free(dhp_bn);
		BN_free(dhg_bn);
		return(NULL);
	}

	return(dh);







<
<
<
<
<
<

<







290
291
292
293
294
295
296






297

298
299
300
301
302
303
304
	if (dh == NULL) {
		return NULL;
	}

	dhp_bn = BN_bin2bn(dhp, sizeof (dhp), NULL);
	dhg_bn = BN_bin2bn(dhg, sizeof (dhg), NULL);







	if (dhp_bn == NULL || dhg_bn == NULL || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {

		DH_free(dh);
		BN_free(dhp_bn);
		BN_free(dhg_bn);
		return(NULL);
	}

	return(dh);
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280

echo "*****************************" >&2
echo "** Generating DH Primes.   **" >&2
echo "** This will take a while. **" >&2
echo "*****************************" >&2
echo "Use OpenSSL" >&2
gen_dh_params_openssl && exit 0
echo "Use Remote" >&2
gen_dh_params_remote && exit 0
echo "Use fallback" >&2
gen_dh_params_fallback && exit 0

echo "Unable to generate parameters for DH of ${bits} bits" >&2

exit 1







|
|






319
320
321
322
323
324
325
326
327
328
329
330
331
332
333

echo "*****************************" >&2
echo "** Generating DH Primes.   **" >&2
echo "** This will take a while. **" >&2
echo "*****************************" >&2
echo "Use OpenSSL" >&2
gen_dh_params_openssl && exit 0
#echo "Use Remote" >&2
#gen_dh_params_remote && exit 0
echo "Use fallback" >&2
gen_dh_params_fallback && exit 0

echo "Unable to generate parameters for DH of ${bits} bits" >&2

exit 1

Modified generic/tls.c from [42a5997f51] to [7c1b9c1884].

1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
	OPTBYTE("-key", key, key_len);
	OPTSTR("-keyfile", keyfile);
	OPTSTR("-model", model);
	OPTOBJ("-password", password);
	OPTBOOL("-post_handshake", post_handshake);
	OPTBOOL("-request", request);
	OPTBOOL("-require", require);
	OPTINT("-security_level", level);
	OPTBOOL("-server", server);
	OPTSTR("-servername", servername);
	OPTSTR("-session_id", session_id);
	OPTBOOL("-ssl2", ssl2);
	OPTBOOL("-ssl3", ssl3);
	OPTBOOL("-tls1", tls1);
	OPTBOOL("-tls1.1", tls1_1);
	OPTBOOL("-tls1.2", tls1_2);
	OPTBOOL("-tls1.3", tls1_3);
	OPTOBJ("-validatecommand", vcmd);
	OPTOBJ("-vcmd", vcmd);

	OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -security_level, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand");

	return TCL_ERROR;
    }
    if (request)		verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER;
    if (request && require)	verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
    if (request && post_handshake)	verify |= SSL_VERIFY_POST_HANDSHAKE;
    if (verify == 0)		verify = SSL_VERIFY_NONE;







|












|







1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
	OPTBYTE("-key", key, key_len);
	OPTSTR("-keyfile", keyfile);
	OPTSTR("-model", model);
	OPTOBJ("-password", password);
	OPTBOOL("-post_handshake", post_handshake);
	OPTBOOL("-request", request);
	OPTBOOL("-require", require);
	OPTINT("-securitylevel", level);
	OPTBOOL("-server", server);
	OPTSTR("-servername", servername);
	OPTSTR("-session_id", session_id);
	OPTBOOL("-ssl2", ssl2);
	OPTBOOL("-ssl3", ssl3);
	OPTBOOL("-tls1", tls1);
	OPTBOOL("-tls1.1", tls1_1);
	OPTBOOL("-tls1.2", tls1_2);
	OPTBOOL("-tls1.3", tls1_3);
	OPTOBJ("-validatecommand", vcmd);
	OPTOBJ("-vcmd", vcmd);

	OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -securitylevel, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand");

	return TCL_ERROR;
    }
    if (request)		verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER;
    if (request && require)	verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
    if (request && post_handshake)	verify |= SSL_VERIFY_POST_HANDSHAKE;
    if (verify == 0)		verify = SSL_VERIFY_NONE;