Changes On Branch 54c35183c2d1427d

Changes In Branch dh Through [54c35183c2] Excluding Merge-Ins

This is equivalent to a diff from c498845865 to 54c35183c2

2023-12-29
03:09
Merged in dh branch check-in: 594dfd3195 user: bohagan tags: trunk
2023-12-28
23:15
Refactored DH generation to not need a separate file for DH data. Added missing header files to generated file. check-in: d3319fd18b user: bohagan tags: dh
21:27
DH Changes for OpenSSL 3.0 Source: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275160 and https://cgit.freebsd.org/ports/tree/devel/tcltls/files/dh_params.h?id=2ed62c75d1230bbe8268a1a3c54de2972d50dcf8 check-in: 54c35183c2 user: bohagan tags: dh
20:01
Created DH branch check-in: 22f9df2429 user: bohagan tags: dh
2023-12-21
20:15
Merged in master changes check-in: 265ace08fe user: bohagan tags: crypto
19:56
Optimized Init stub load and package require. Use general pkhIndex.tcl file. check-in: c498845865 user: bohagan tags: trunk
2023-12-11
10:37
Updated to latest tclconfig changes check-in: 98e3157245 user: bohagan tags: trunk

Modified generic/gen_dh_params from [90177a1658] to [e07a009868].

9
10
11
12
13
14
15
16

17
18
19
20
21
22
23
24
25
26















































27
28

29
30
31
32
33
34
35
36
37
38

39
40
41
42
43
44
45
46
47
48


49
50
51
52
53
54
55
9
10
11
12
13
14
15

16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

75
76
77
78
79
80
81
82
83
84

85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104







-
+










+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

-
+









-
+










+
+







			;;
		bits=*)
			bits="`echo "${arg}" | cut -f 2 -d =`"
			;;
	esac
done

openssl_dhparam() {
openssl_dhparam1() {
	if openssl dhparam -C "$@" | sed	\
	    -e 's/^\(static \)*DH \*get_dh[0-9]*/static DH *get_dhParams/'	\
	    -e '/^-----BEGIN DH PARAMETERS-----$/,/^-----END DH PARAMETERS-----$/ d;/^#/ d'
	then
		return 0
	fi

	return 1
}

# OpenSSL 3.0 openssl-dhparam has no "-C" option, so we emulate it here
openssl_dhparam3() {
	if openssl dhparam -text 2048 | \
	    sed -E -e '/^---/,/^---/d' \
		-e '/(DH|prime|generator)/d' \
		-e 's/([0-9a-h]{2})(:|$$)/0x\1, /g' \
		-e generateddh.txt
	then
	else
		return 0
	fi


	cat << \_EOF_
/*
 * OpenSSL no longer offers the "-C" option for its dhparam
 * subcommand, so we keep our own C-code here...
 */

static DH * get_dhParams(void) {
	static unsigned char dhp_2048[] = {
#include "generateddh.txt"
	};
	static unsigned char dhg_2048[] = {
		0x02
	};
	DH	       *dh = DH_new();
	BIGNUM	       *p, *g;

	if (dh == NULL)
		return NULL;
	p = BN_bin2bn(dhp_2048, sizeof(dhp_2048), NULL);
	g = BN_bin2bn(dhg_2048, sizeof(dhg_2048), NULL);
	if (p == NULL || g == NULL
	    || !DH_set0_pqg(dh, p, NULL, g)) {
		DH_free(dh);
		BN_free(p);
		BN_free(g);
		return NULL;
	}
	return dh;
}
_EOF_

	return 0
}

gen_dh_params_openssl() {
	openssl_dhparam "${bits}" < /dev/null || return 1
	openssl_dhparam3 "${bits}" < /dev/null || return 1
	return 0
}

gen_dh_params_remote() {
	url="https://2ton.com.au/dhparam/${bits}"

	r_input="`curl -sS "${url}"`" || \
		r_input="`wget -O - -o /dev/null "${url}"`" || return 1

	if r_output="`echo "${r_input}" | openssl_dhparam`"; then
	if r_output="`echo "${r_input}" | openssl_dhparam1`"; then
		echo "${r_output}"

		return 0
	fi

	return 1
}

gen_dh_params_fallback() {
	cat << \_EOF_
#include <openssl/dh.h>
#include <openssl/bn.h>
DH *get_dhParams(void) {
	static unsigned char dhp[] = {
_EOF_
	case "${bits}" in
		2048)
			cat << \_EOF_
		0xC1,0x51,0x58,0x69,0xFB,0xE8,0x6C,0x47,0x2B,0x86,0x61,0x4F,
266
267
268
269
270
271
272
273
274


275
276
277
278
279
280
315
316
317
318
319
320
321


322
323
324
325
326
327
328
329







-
-
+
+







echo "*****************************" >&2
echo "** Generating DH Primes.   **" >&2
echo "** This will take a while. **" >&2
echo "*****************************" >&2
echo "Use OpenSSL" >&2
gen_dh_params_openssl && exit 0
echo "Use Remote" >&2
gen_dh_params_remote && exit 0
#echo "Use Remote" >&2
#gen_dh_params_remote && exit 0
echo "Use fallback" >&2
gen_dh_params_fallback && exit 0

echo "Unable to generate parameters for DH of ${bits} bits" >&2

exit 1

Modified generic/tls.c from [42a5997f51] to [7c1b9c1884].

1324
1325
1326
1327
1328
1329
1330
1331

1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344

1345
1346
1347
1348
1349
1350
1351
1324
1325
1326
1327
1328
1329
1330

1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343

1344
1345
1346
1347
1348
1349
1350
1351







-
+












-
+







	OPTBYTE("-key", key, key_len);
	OPTSTR("-keyfile", keyfile);
	OPTSTR("-model", model);
	OPTOBJ("-password", password);
	OPTBOOL("-post_handshake", post_handshake);
	OPTBOOL("-request", request);
	OPTBOOL("-require", require);
	OPTINT("-security_level", level);
	OPTINT("-securitylevel", level);
	OPTBOOL("-server", server);
	OPTSTR("-servername", servername);
	OPTSTR("-session_id", session_id);
	OPTBOOL("-ssl2", ssl2);
	OPTBOOL("-ssl3", ssl3);
	OPTBOOL("-tls1", tls1);
	OPTBOOL("-tls1.1", tls1_1);
	OPTBOOL("-tls1.2", tls1_2);
	OPTBOOL("-tls1.3", tls1_3);
	OPTOBJ("-validatecommand", vcmd);
	OPTOBJ("-vcmd", vcmd);

	OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -security_level, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand");
	OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -securitylevel, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand");

	return TCL_ERROR;
    }
    if (request)		verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER;
    if (request && require)	verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
    if (request && post_handshake)	verify |= SSL_VERIFY_POST_HANDSHAKE;
    if (verify == 0)		verify = SSL_VERIFY_NONE;