TclTLS: Check-in [0de7b4fc0a]

Overview

Comment:	Removed support for obsolete OpenSSL versions prior to v1.1.1.
Downloads:	Tarball \| ZIP archive \| SQL archive
Timelines:	family \| ancestors \| descendants \| both \| status_x509
Files:	files \| file ages \| folders
SHA3-256:	0de7b4fc0aa601b24f179a928dc88b0151f88637f67e964e1860d85f700f609e
User & Date:	bohagan on 2023-05-27 03:06:08
Other Links:	branch diff \| manifest \| tags

Context

2023-05-27
19:20		Added session id and ticket to connection status. Added callback to handle session id and ticket updates after the handshake. check-in: 489f45bd81 user: bohagan tags: status_x509
03:06		Removed support for obsolete OpenSSL versions prior to v1.1.1. check-in: 0de7b4fc0a user: bohagan tags: status_x509
2023-05-26
22:43		Added set security level option to set all relevant parameters including cipher suite, encryption algorithms, supported ECC curves, supported signature algorithms, DH parameter sizes, certificate key sizes and signature algorithms in one operation. check-in: 32ce5d6220 user: bohagan tags: status_x509

Changes

Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Modified generic/tls.c from [0c71e3381c] to [c78a7d27a7].

Modified generic/tlsBIO.c from [2e81a5f072] to [88d81d7f98].

Modified generic/tlsIO.c from [ff0429678e] to [66122f9e33].

Modified generic/tlsInt.h from [9a55e93f5a] to [2fc41e655c].

Modified generic/tlsX509.c from [d4377f05cd] to [ae7fc978bb].

︙
23 24 25 26 27 28 29 30 31 32 33 34 35 36	23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42	+ + + + + +	/ #include "tlsInt.h" #include "tclOpts.h" #include <stdio.h> #include <stdlib.h> #include <openssl/rsa.h> #include <openssl/safestack.h> / Min OpenSSL version / #if OPENSSL_VERSION_NUMBER < 0x10101000L #error "Only OpenSSL v1.1.1 or later is supported" #endif / * External functions / / * Forward declarations
︙
62 63 64 65 66 67 68 ~~69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87~~ 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 ~~109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142~~ 143 144 145 146 147 148 149	68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -	* Static data structures / #ifndef OPENSSL_NO_DH #include "dh_params.h" #endif / * We lose the tcl password callback when we use the RSA BSAFE SSL-C 1.1.2 * libraries instead of the current OpenSSL libraries. / ~~#ifdef BSAFE~~ ~~#define PRE_OPENSSL_0_9_4 1~~ ~~#endif~~ / * Pre OpenSSL 0.9.4 Compat / ~~#ifndef STACK_OF~~ ~~#define STACK_OF(x) STACK~~ ~~#define sk_SSL_CIPHER_num(sk) sk_num((sk))~~ ~~#define sk_SSL_CIPHER_value(sk, index) (SSL_CIPHER)sk_value((sk), (index))~~ ~~#endif~~ /* * Thread-Safe TLS Code / #ifdef TCL_THREADS #define OPENSSL_THREAD_DEFINES #include <openssl/opensslconf.h> #ifdef OPENSSL_THREADS #include <openssl/crypto.h> ~~/ Added /~~ #include <openssl/ssl.h> / * Threaded operation requires locking callbacks * Based from /crypto/cryptlib.c of OpenSSL and NSOpenSSL. / static Tcl_Mutex locks = NULL; static int locksCount = 0; static Tcl_Mutex init_mx; ~~# if OPENSSL_VERSION_NUMBER < 0x10100000L~~ ~~void CryptoThreadLockCallback(int mode, int n, const char file, int line) {~~ ~~if (mode & CRYPTO_LOCK) {~~ ~~/ This debugging is turned off by default -- it's too noisy. /~~ ~~/ dprintf("Called to lock (n=%i of %i)", n, locksCount); /~~ ~~Tcl_MutexLock(&locks[n]);~~ ~~} else {~~ ~~/ dprintf("Called to unlock (n=%i of %i)", n, locksCount); /~~ ~~Tcl_MutexUnlock(&locks[n]);~~ } ~~/ dprintf("Returning"); /~~ ~~return;~~ ~~file = file;~~ ~~line = line;~~ } ~~unsigned long CryptoThreadIdCallback(void) {~~ ~~unsigned long ret;~~ ~~dprintf("Called");~~ ~~ret = (unsigned long) Tcl_GetCurrentThread();~~ ~~dprintf("Returning %lu", ret);~~ ~~return(ret);~~ } ~~#endif~~ #endif / OPENSSL_THREADS / #endif / TCL_THREADS / / -------------------------------------------------------------------
︙
407 408 409 410 411 412 413 ~~414 415 416 417 418 419 420 421 422 423 424 425 426~~ 427 428 429 430 431 432 433	359 360 361 362 363 364 365 366 367 368 369 370 371 372	- - - - - - - - - - - - -	* PasswordCallback -- * * Called when a password is needed to unpack RSA and PEM keys. * Evals any bound password script and returns the result as * the password string. ------------------------------------------------------------------- / ~~#ifdef PRE_OPENSSL_0_9_4~~ /* * No way to handle user-data therefore no way without a global * variable to access the Tcl interpreter. / ~~static int~~ ~~PasswordCallback(char buf, int size, int verify) {~~ ~~return -1;~~ ~~buf = buf;~~ ~~size = size;~~ ~~verify = verify;~~ } ~~#else~~ static int PasswordCallback(char buf, int size, int verify, void udata) { State statePtr = (State ) udata; Tcl_Interp interp = statePtr->interp; Tcl_Obj cmdPtr; int code;
︙
469 470 471 472 473 474 475 ~~476~~ 477 478 479 480 481 482 483	408 409 410 411 412 413 414 415 416 417 418 419 420 421	-	return (int)strlen(ret); } } Tcl_Release((ClientData) interp); return -1; verify = verify; } ~~#endif~~ /* ------------------------------------------------------------------- * CiphersObjCmd -- list available ciphers * * This procedure is invoked to process the "tls::ciphers" command
︙
528 529 530 531 532 533 534 ~~535~~ 536 537 538 539 540 541 ~~542~~ 543 544 545 546 547 548 ~~549~~ 550 551 552 553 554 555 ~~556~~ 557 558 559 560 561 562 563	466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501	- + - + - + - +	#if OPENSSL_VERSION_NUMBER >= 0x10100000L \|\| defined(NO_SSL2) \|\| defined(OPENSSL_NO_SSL2) Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(SSLv2_method()); break; #endif case TLS_SSL3: ~~#if defined(NO_SSL3) \|\| defined(OPENSSL_NO_SSL3)~~ #if defined(NO_SSL3) \|\| defined(OPENSSL_NO_SSL3) \|\| defined(OPENSSL_NO_SSL3_METHOD) Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(SSLv3_method()); break; #endif case TLS_TLS1: ~~#if defined(NO_TLS1) \|\| defined(OPENSSL_NO_TLS1)~~ #if defined(NO_TLS1) \|\| defined(OPENSSL_NO_TLS1) \|\| defined(OPENSSL_NO_TLS1_METHOD) Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_method()); break; #endif case TLS_TLS1_1: ~~#if defined(NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1)~~ #if defined(NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1_METHOD) Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_1_method()); break; #endif case TLS_TLS1_2: ~~#if defined(NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2)~~ #if defined(NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_2_METHOD) Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_2_method()); break; #endif case TLS_TLS1_3: #if defined(NO_TLS1_3) \|\| defined(OPENSSL_NO_TLS1_3)
︙
796 797 798 799 800 801 802 ~~803~~ 804 805 ~~806~~ 807 808 809 810 811 812 813 ~~814~~ 815 816 ~~817~~ 818 819 820 821 822 823 824	734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760	- - - + - +	int cert_len = 0; char ciphers = NULL; char ciphersuites = NULL; char CAfile = NULL; char CAdir = NULL; char DHparams = NULL; char model = NULL; ~~#ifndef OPENSSL_NO_TLSEXT~~ char servername = NULL; / hostname for Server Name Indication / Tcl_Obj alpn = NULL; ~~#endif~~ int ssl2 = 0, ssl3 = 0; int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1; int proto = 0, level = -1; int verify = 0, require = 0, request = 1; dprintf("Called"); ~~#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_NO_SSL2) && defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_TLS1_3~~) && defined(NO_SSL3) && !defined(NO_SSL2~~)~~ #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2) && defined(NO_SSL3) && defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_TLS1_3) ssl2 = 1; #endif ~~#if !defined(OPENSSL_NO_SSL3) && defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_TLS1_~~3) && defined(NO_SSL2) && !defined(NO_SSL~~3)~~ #if !defined(OPENSSL_NO_SSL3) && !defined(NO_SSL3) && defined(NO_SSL2) && defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_TLS1_3) ssl3 = 1; #endif #if defined(NO_TLS1) \|\| defined(OPENSSL_NO_TLS1) tls1 = 0; #endif #if defined(NO_TLS1_1) \|\| defined(OPENSSL_NO_TLS1_1) tls1_1 = 0;
︙
862 863 864 865 866 867 868 ~~869~~ 870 871 ~~872 873~~ 874 875 876 877 878 879 880	798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813	- - -	OPTSTR("-keyfile", keyfile); OPTSTR("-model", model); OPTOBJ("-password", password); OPTBOOL("-require", require); OPTBOOL("-request", request); OPTINT("-securitylevel", level); OPTBOOL("-server", server); ~~#ifndef OPENSSL_NO_TLSEXT~~ OPTSTR("-servername", servername); OPTOBJ("-alpn", alpn); ~~#endif~~ OPTBOOL("-ssl2", ssl2); OPTBOOL("-ssl3", ssl3); OPTBOOL("-tls1", tls1); OPTBOOL("-tls1.1", tls1_1); OPTBOOL("-tls1.2", tls1_2); OPTBOOL("-tls1.3", tls1_3); OPTBYTE("-cert", cert, cert_len);
︙
1002 1003 1004 1005 1006 1007 1008 ~~1009~~ 1010 1011 1012 1013 1014 1015 1016	935 936 937 938 939 940 941 942 943 944 945 946 947 948	-	if (!statePtr->ssl) { /* SSL library error / Tcl_AppendResult(interp, "couldn't construct ssl session: ", REASON(), (char ) NULL); Tls_Free((char ) statePtr); return TCL_ERROR; } ~~#ifndef OPENSSL_NO_TLSEXT~~ if (servername) { if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) { Tcl_AppendResult(interp, "setting TLS host name extension failed", (char ) NULL); Tls_Free((char *) statePtr); return TCL_ERROR; } }
︙
1049 1050 1051 1052 1053 1054 1055 ~~1056~~ 1057 1058 1059 1060 1061 1062 1063	981 982 983 984 985 986 987 988 989 990 991 992 993 994	-	Tls_Free((char ) statePtr); ckfree(protos); return TCL_ERROR; } / SSL_set_alpn_protos makes a copy of the protocol-list / ckfree(protos); } ~~#endif~~ / * SSL Callbacks / SSL_set_app_data(statePtr->ssl, (void )statePtr); /* point back to us */ SSL_set_verify(statePtr->ssl, verify, VerifyCallback); SSL_CTX_set_info_callback(statePtr->ctx, InfoCallback);
︙
1207 1208 1209 1210 1211 1212 1213 ~~1214~~ 1215 1216 1217 1218 ~~1219~~ 1220 1221 1222 1223 ~~1224~~ 1225 1226 1227 1228 ~~1229~~ 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 ~~1245~~ 1246 1247 ~~1248 1249 1250~~ 1251 1252 1253 1254 1255 1256 1257	1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184	- + - + - + - + - - - -	switch (proto) { #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(NO_SSL2) && !defined(OPENSSL_NO_SSL2) case TLS_PROTO_SSL2: method = SSLv2_method(); break; #endif ~~#if !defined(NO_SSL3) && !defined(OPENSSL_NO_SSL3)~~ #if !defined(NO_SSL3) && !defined(OPENSSL_NO_SSL3) && !defined(OPENSSL_NO_SSL3_METHOD) case TLS_PROTO_SSL3: method = SSLv3_method(); break; #endif ~~#if !defined(NO_TLS1) && !defined(OPENSSL_NO_TLS1)~~ #if !defined(NO_TLS1) && !defined(OPENSSL_NO_TLS1) && !defined(OPENSSL_NO_TLS1_METHOD) case TLS_PROTO_TLS1: method = TLSv1_method(); break; #endif ~~#if !defined(NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1)~~ #if !defined(NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1_METHOD) case TLS_PROTO_TLS1_1: method = TLSv1_1_method(); break; #endif ~~#if !defined(NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2)~~ #if !defined(NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2_METHOD) case TLS_PROTO_TLS1_2: method = TLSv1_2_method(); break; #endif #if !defined(NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_3) case TLS_PROTO_TLS1_3: /* * The version range is constrained below, * after the context is created. Use the * generic method here. / method = TLS_method(); break; #endif default: ~~#if OPENSSL_VERSION_NUMBER >= 0x10100000L~~ / Negotiate highest available SSL/TLS version */ method = TLS_method(); ~~#else~~ ~~method = SSLv23_method();~~ ~~#endif~~ #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(NO_SSL2) && !defined(OPENSSL_NO_SSL2) off \|= (ENABLED(proto, TLS_PROTO_SSL2) ? 0 : SSL_OP_NO_SSLv2); #endif #if !defined(NO_SSL3) && !defined(OPENSSL_NO_SSL3) off \|= (ENABLED(proto, TLS_PROTO_SSL3) ? 0 : SSL_OP_NO_SSLv3); #endif #if !defined(NO_TLS1) && !defined(OPENSSL_NO_TLS1)
︙
1310 1311 1312 1313 1314 1315 1316 ~~1317 1318~~ 1319 ~~1320~~ 1321 1322 1323 1324 1325 1326 1327	1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251	- - -	if (level > -1 && level < 6) { /* SSL_set_security_level / SSL_CTX_set_security_level(ctx, level); } / set some callbacks / SSL_CTX_set_default_passwd_cb(ctx, PasswordCallback); ~~#ifndef BSAFE~~ SSL_CTX_set_default_passwd_cb_userdata(ctx, (void )statePtr); ~~#endif~~ /* read a Diffie-Hellman parameters file, or use the built-in one / #ifdef OPENSSL_NO_DH if (DHparams != NULL) { Tcl_AppendResult(interp, "DH parameter support not available", (char ) NULL); SSL_CTX_free(ctx); return (SSL_CTX *)0;
︙
1482 1483 1484 1485 1486 1487 1488 ~~1489~~ 1490 1491 ~~1492~~ 1493 1494 1495 1496 1497 1498 1499	1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421	- -	StatusObjCmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) { State statePtr; X509 peer; Tcl_Obj objPtr; Tcl_Channel chan; char channelName, ciphers; int mode; ~~#ifndef OPENSSL_NO_TLSEXT~~ const unsigned char proto; unsigned int len; ~~#endif~~ dprintf("Called"); switch (objc) { case 2: channelName = Tcl_GetStringFromObj(objv[1], NULL); break;
︙
1543 1544 1545 1546 1547 1548 1549 ~~1550~~ 1551 1552 1553 1554 ~~1555~~ 1556 1557 1558 1559 1560 1561 1562	1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482	- -	ciphers = (char)SSL_get_cipher(statePtr->ssl); if ((ciphers != NULL) && (strcmp(ciphers, "(NONE)") != 0)) { Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("cipher", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_cipher(statePtr->ssl), -1)); } ~~#ifndef OPENSSL_NO_TLSEXT~~ / Report the selected protocol as a result of the negotiation / SSL_get0_alpn_selected(statePtr->ssl, &proto, &len); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("alpn", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj((char )proto, (int)len)); ~~#endif~~ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("version", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_version(statePtr->ssl), -1)); Tcl_SetObjResult(interp, objPtr); return TCL_OK; clientData = clientData; }
︙
1574 1575 1576 1577 1578 1579 1580 ~~1581 1582~~ 1583 1584 ~~1585 1586~~ 1587 1588 1589 1590 1591 1592 1593	1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510	- - - - +	static int ConnectionInfoObjCmd(ClientData clientData, Tcl_Interp interp, int objc, Tcl_Obj const objv[]) { Tcl_Channel chan; /* The channel to set a mode on. / State statePtr; /* client state for ssl socket / Tcl_Obj objPtr; const SSL ssl; const SSL_CIPHER cipher; ~~#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER >= 0x10002000L~~ const unsigned char proto; unsigned int len; ~~#endif~~ #if defined(HAVE_SSL_COMPRESSION) ~~&& OPENSSL_VERSION_NUMBER >= 0x10002000L~~ #if defined(HAVE_SSL_COMPRESSION) const COMP_METHOD comp; #endif if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); return(TCL_ERROR); }
︙
1659 1660 1661 1662 1663 1664 1665 ~~1666~~ 1667 1668 1669 1670 ~~1671~~ 1672 1673 1674 1675 1676 ~~1677~~ 1678 1679 1680 1681 1682 1683 1684	1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599	- - - +	} } Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("renegotiation", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj( SSL_get_secure_renegotiation_support(ssl) ? "allowed" : "disallowed", -1)); ~~#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER >= 0x10002000L~~ /* Report the selected protocol as a result of the negotiation / SSL_get0_alpn_selected(ssl, &proto, &len); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("alpn", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj((char )proto, (int)len)); ~~#endif~~ /* Session info / Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_reused", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(SSL_session_reused(ssl))); ~~#if defined(HAVE_SSL_COMPRESSION) ~~&& OPENSSL_VERSION_NUMBER >= 0x10002000L~~~~ #if defined(HAVE_SSL_COMPRESSION) / Compression info */ comp = SSL_get_current_compression(ssl); if (comp != NULL) { expansion = SSL_get_current_expansion(ssl); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("compression", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_COMP_get_name(comp), -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("expansion", -1));
︙
1761 1762 1763 1764 1765 1766 1767 ~~1768~~ ~~1769 1770~~ 1771 1772 1773 1774 1775 1776 1777	1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690	- + - -	BIO out=NULL; char k_C="",k_ST="",k_L="",k_O="",k_OU="",k_CN="",k_Email=""; char keyout,pemout,str; int keysize,serial=0,days=365; ~~#if OPENSSL_VERSION_NUMBER <= 0x~~101~~00000L~~ #if OPENSSL_VERSION_NUMBER < 0x30000000L ~~RSA rsa = NULL;~~ ~~#elif OPENSSL_VERSION_NUMBER < 0x30000000L~~ BIGNUM bne = NULL; RSA rsa = NULL; #else EVP_PKEY_CTX *ctx = NULL; #endif if ((objc<5) \|\| (objc>6)) {
︙
1824 1825 1826 1827 1828 1829 1830 ~~1831~~ ~~1832 1833 1834 1835 1836 1837~~ 1838 1839 1840 1841 1842 1843 1844	1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751	- + - - - - - -	} else { Tcl_SetResult(interp,"Unknown parameter",NULL); return TCL_ERROR; } } } ~~#if OPENSSL_VERSION_NUMBER <= 0x~~101~~00000L~~ #if OPENSSL_VERSION_NUMBER < 0x30000000L ~~pkey = EVP_PKEY_new();~~ ~~rsa = RSA_generate_key(keysize, 0x10001, NULL, NULL);~~ ~~if (pkey == NULL \|\| rsa == NULL \|\| !EVP_PKEY_assign_RSA(pkey, rsa)) {~~ ~~EVP_PKEY_free(pkey);~~ ~~/* RSA_free(rsa); freed by EVP_PKEY_free /~~ ~~#elif OPENSSL_VERSION_NUMBER < 0x30000000L~~ bne = BN_new(); rsa = RSA_new(); pkey = EVP_PKEY_new(); if (bne == NULL \|\| rsa == NULL \|\| pkey == NULL \|\| !BN_set_word(bne,RSA_F4) \|\| !RSA_generate_key_ex(rsa, keysize, bne, NULL) \|\| !EVP_PKEY_assign_RSA(pkey, rsa)) { EVP_PKEY_free(pkey); / RSA_free(rsa); freed by EVP_PKEY_free */
︙
1870 1871 1872 1873 1874 1875 1876 ~~1877~~ 1878 1879 1880 1881 1882 1883 1884 ~~1885 1886 1887 1888~~ 1889 1890 ~~1891~~ 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 ~~1909~~ 1910 1911 1912 1913 1914 1915 1916	1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818	- + - - - - - - +	/* PEM_write_bio_RSAPrivateKey(out, rsa, NULL, NULL, 0, NULL, NULL); / BIO_free_all(out); } if ((cert=X509_new())==NULL) { Tcl_SetResult(interp,"Error generating certificate request",NULL); EVP_PKEY_free(pkey); ~~#if ~~OPENSSL_VERSION_NUMBER > 0x10100000L &&~~ OPENSSL_VERSION_NUMBER < 0x30000000L~~ #if OPENSSL_VERSION_NUMBER < 0x30000000L BN_free(bne); #endif return(TCL_ERROR); } X509_set_version(cert,2); ASN1_INTEGER_set(X509_get_serialNumber(cert),serial); ~~#if OPENSSL_VERSION_NUMBER < 0x10100000L~~ ~~X509_gmtime_adj(X509_get_notBefore(cert),0);~~ ~~X509_gmtime_adj(X509_get_notAfter(cert),(long)606024days);~~ ~~#else~~ X509_gmtime_adj(X509_getm_notBefore(cert),0); X509_gmtime_adj(X509_getm_notAfter(cert),(long)606024days); ~~#endif~~ X509_set_pubkey(cert,pkey); name=X509_get_subject_name(cert); X509_NAME_add_entry_by_txt(name,"C", MBSTRING_ASC, (const unsigned char ) k_C, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"ST", MBSTRING_ASC, (const unsigned char ) k_ST, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"L", MBSTRING_ASC, (const unsigned char ) k_L, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"O", MBSTRING_ASC, (const unsigned char ) k_O, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"OU", MBSTRING_ASC, (const unsigned char ) k_OU, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"CN", MBSTRING_ASC, (const unsigned char ) k_CN, -1, -1, 0); X509_NAME_add_entry_by_txt(name,"Email", MBSTRING_ASC, (const unsigned char ) k_Email, -1, -1, 0); X509_set_subject_name(cert,name); if (!X509_sign(cert,pkey,EVP_sha256())) { X509_free(cert); EVP_PKEY_free(pkey); ~~#if ~~OPENSSL_VERSION_NUMBER > 0x10100000L &&~~ OPENSSL_VERSION_NUMBER < 0x30000000L~~ #if OPENSSL_VERSION_NUMBER < 0x30000000L BN_free(bne); #endif Tcl_SetResult(interp,"Error signing certificate",NULL); return TCL_ERROR; } if (isStr) {
︙
1927 1928 1929 1930 1931 1932 1933 ~~1934~~ 1935 1936 1937 1938 1939 1940 1941	1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843	- +	BIO_write_filename(out,pemout); PEM_write_bio_X509(out,cert); BIO_free_all(out); } X509_free(cert); EVP_PKEY_free(pkey); ~~#if ~~OPENSSL_VERSION_NUMBER > 0x10100000L &&~~ OPENSSL_VERSION_NUMBER < 0x30000000L~~ #if OPENSSL_VERSION_NUMBER < 0x30000000L BN_free(bne); #endif } } break; default: break;
︙
2139 2140 2141 2142 2143 2144 2145 ~~2146 2147 2148 2149 2150 2151 2152 2153~~ 2154 2155 2156 2157 2158 2159 2160	2041 2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054	- - - - - - - -	} dprintf("Asked to uninitialize"); #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) Tcl_MutexLock(&init_mx); ~~#if OPENSSL_VERSION_NUMBER < 0x10000000L~~ ~~CRYPTO_set_locking_callback(NULL);~~ ~~CRYPTO_set_id_callback(NULL);~~ ~~#elif OPENSSL_VERSION_NUMBER < 0x10100000L~~ ~~CRYPTO_set_locking_callback(NULL);~~ ~~CRYPTO_THREADID_set_callback(NULL)~~ ~~#endif~~ if (locks) { free(locks); locks = NULL; locksCount = 0; } #endif initialized = 0;
︙
2175 2176 2177 2178 2179 2180 2181 ~~2182 2183 2184~~ 2185 ~~2186~~ 2187 2188 2189 ~~2190 2191 2192 2193 2194 2195 2196~~ 2197 ~~2198~~ 2199 ~~2200 2201 2202 2203 2204 2205~~ 2206 2207 2208 ~~2209 2210 2211 2212 2213 2214 2215 2216 2217~~ 2218 2219 2220 2221 2222 2223 2224	2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091	- - - - - - - - - - - - - - - - - - - - - - - - - - -	#if defined(OPENSSL_THREADS) && defined(TCL_THREADS) Tcl_MutexLock(&init_mx); #endif initialized = 1; #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) ~~#if OPENSSL_VERSION_NUMBER < 0x10100000L~~ ~~num_locks = CRYPTO_num_locks();~~ ~~#else~~ num_locks = 1; ~~#endif~~ locksCount = (int) num_locks; locks = malloc(sizeof(locks) num_locks); memset(locks, 0, sizeof(locks) num_locks); ~~#if OPENSSL_VERSION_NUMBER < 0x10000000L~~ ~~CRYPTO_set_locking_callback(CryptoThreadLockCallback);~~ ~~CRYPTO_set_id_callback(CryptoThreadIdCallback);~~ ~~#elif OPENSSL_VERSION_NUMBER < 0x10100000L~~ ~~CRYPTO_set_locking_callback(CryptoThreadLockCallback);~~ ~~CRYPTO_THREADID_set_callback(CryptoThreadIdCallback)~~ #endif ~~#endif~~ ~~# if OPENSSL_VERSION_NUMBER < 0x10100000L~~ ~~if (SSL_library_init() != 1) {~~ ~~status = TCL_ERROR;~~ ~~goto done;~~ } ~~#else~~ /* Initialize BOTH libcrypto and libssl. / OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS \| OPENSSL_INIT_LOAD_CRYPTO_STRINGS \| OPENSSL_INIT_ADD_ALL_CIPHERS \| OPENSSL_INIT_ADD_ALL_DIGESTS, NULL); ~~#endif~~ ~~# if OPENSSL_VERSION_NUMBER < 0x10100000L~~ ~~SSL_load_error_strings();~~ ~~ERR_load_crypto_strings();~~ ~~#else~~ ~~/ Only initialize libcrypto /~~ ~~OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);~~ ~~#endif~~ BIO_new_tcl(NULL, 0); #if 0 / * XXX:TODO: Remove this code and replace it with a check * for enough entropy and do not try to create our own
︙
2239 2240 2241 2242 2243 2244 2245 ~~2246 2247 2248~~ 2249 2250 2251 2252 2253 2254	2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118	- - -	for (i = 0; i < 16; i++) { rnd_seed[i] = 1 + (char) (255.0 * rand()/(RAND_MAX+1.0)); } RAND_seed(rnd_seed, sizeof(rnd_seed)); } while (RAND_status() != 1); #endif ~~# if OPENSSL_VERSION_NUMBER < 0x10100000L~~ ~~done:~~ ~~#endif~~ #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) Tcl_MutexUnlock(&init_mx); #endif return(status); }

1 2 3 4 5 6 7 8 ~~9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29~~ 30 31 32 33 34 35 36	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15	- - - - - - - - - - - - - - - - - - - - -	/* * Copyright (C) 1997-2000 Matt Newman <[email protected]> * * Provides BIO layer to interface openssl to Tcl. / #include "tlsInt.h" ~~#ifdef TCLTLS_OPENSSL_PRE_1_1_API~~ ~~#define BIO_get_data(bio) ((bio)->ptr)~~ ~~#define BIO_get_init(bio) ((bio)->init)~~ ~~#define BIO_get_shutdown(bio) ((bio)->shutdown)~~ ~~#define BIO_set_data(bio, val) (bio)->ptr = (val)~~ ~~#define BIO_set_init(bio, val) (bio)->init = (val)~~ ~~#define BIO_set_shutdown(bio, val) (bio)->shutdown = (val)~~ ~~/ XXX: This assumes the variable being assigned to is BioMethods /~~ ~~#define BIO_meth_new(type_, name_) (BIO_METHOD )Tcl_Alloc(sizeof(BIO_METHOD)); \~~ ~~memset(BioMethods, 0, sizeof(BIO_METHOD)); \~~ ~~BioMethods->type = type_; \~~ ~~BioMethods->name = name_;~~ ~~#define BIO_meth_set_write(bio, val) (bio)->bwrite = val;~~ ~~#define BIO_meth_set_read(bio, val) (bio)->bread = val;~~ ~~#define BIO_meth_set_puts(bio, val) (bio)->bputs = val;~~ ~~#define BIO_meth_set_ctrl(bio, val) (bio)->ctrl = val;~~ ~~#define BIO_meth_set_create(bio, val) (bio)->create = val;~~ ~~#define BIO_meth_set_destroy(bio, val) (bio)->destroy = val;~~ ~~#endif~~ static int BioWrite(BIO bio, const char buf, int bufLen) { Tcl_Channel chan; int ret; int tclEofChan, tclErrno; chan = Tls_GetParent((State *) BIO_get_data(bio), 0);
︙
57 58 59 60 61 62 63 64 65 66 67 68 69 70 71	36 37 38 39 40 41 42 43 44 45 46 47 48 49 50	- +	} else if (ret < 0) { dprintf("We got some kind of I/O error"); if (tclErrno == EAGAIN) { dprintf("It's EAGAIN"); } else { ~~dprintf("It's an unepxected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno);~~ dprintf("It's an unexpected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno); } } else { dprintf("Successfully wrote some data"); } if (ret != -1 \|\| (ret == -1 && tclErrno == EAGAIN)) {
︙
112 113 114 115 116 117 118 ~~119~~ 120 121 122 123 124 125 126	91 92 93 94 95 96 97 98 99 100 101 102 103 104 105	- +	} else if (ret < 0) { dprintf("We got some kind of I/O error"); if (tclErrno == EAGAIN) { dprintf("It's EAGAIN"); } else { ~~dprintf("It's an unepxected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno);~~ dprintf("It's an unexpected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno); } } else { dprintf("Successfully read some data"); } if (ret != -1 \|\| (ret == -1 && tclErrno == EAGAIN)) {
︙

︙
95 96 97 98 99 100 101 ~~102~~ 103 104 105 106 107 108 109	95 96 97 98 99 100 101 102 103 104 105 106 107 108 109	- +	} /* ------------------------------------------------------ * * Tls_WaitForConnect -- * * Sideeffects: * Side effects: * Issues SSL_accept or SSL_connect * * Result: * None. * ------------------------------------------------------ */
︙
798 799 800 801 802 803 804 ~~805~~ 806 807 808 809 810 811 812	798 799 800 801 802 803 804 805 806 807 808 809 810 811 812	- +	* * ------------------------------------------------* * Handler called by Tcl as a result of * Tcl_CreateChannelHandler - to inform us of activity * on the underlying channel. * ------------------------------------------------* * * Sideeffects: * Side effects: * May generate subsequent calls to * Tcl_NotifyChannel. * * Result: * None. * ------------------------------------------------------
︙
872 873 874 875 876 877 878 ~~879~~ 880 881 882 883 884 885 886	872 873 874 875 876 877 878 879 880 881 882 883 884 885 886	- +	* TlsChannelHandlerTimer -- * * ------------------------------------------------* * Called by the notifier (-> timer) to flush out * information waiting in channel buffers. * ------------------------------------------------* * * Sideeffects: * Side effects: * As of 'TlsChannelHandler'. * * Result: * None. * ------------------------------------------------------ */
︙

︙
98 99 100 101 102 103 104 ~~105~~ 106 107 108 109 110 111 112 113 ~~114~~ 115 116 117 118 119 120 121	98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119	- -	char subject[BUFSIZ]; char issuer[BUFSIZ]; char serial[BUFSIZ]; char notBefore[BUFSIZ]; char notAfter[BUFSIZ]; char certStr[CERT_STR_SIZE], certStr_p; int certStr_len, toRead; ~~#ifndef NO_SSL_SHA~~ char sha1_hash_ascii[SHA_DIGEST_LENGTH 2 + 1]; unsigned char sha1_hash_binary[SHA_DIGEST_LENGTH]; char sha256_hash_ascii[SHA256_DIGEST_LENGTH * 2 + 1]; unsigned char sha256_hash_binary[SHA256_DIGEST_LENGTH]; const char shachars="0123456789ABCDEF"; sha1_hash_ascii[SHA_DIGEST_LENGTH 2] = '\0'; sha256_hash_ascii[SHA256_DIGEST_LENGTH * 2] = '\0'; ~~#endif~~ certStr[0] = 0; if ((bio = BIO_new(BIO_s_mem())) == NULL) { subject[0] = 0; issuer[0] = 0; serial[0] = 0; } else {
︙
160 161 162 163 164 165 166 ~~167 168 169 170~~ 171 172 ~~173~~ 174 ~~175~~ 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 ~~193~~ 194 195 196 197 198 199 200	158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192	- - - - - - - +	certStr_p = '\0'; (void)BIO_flush(bio); } BIO_free(bio); } ~~#if OPENSSL_VERSION_NUMBER < 0x10100000L~~ ~~strcpy(notBefore, ASN1_UTCTIME_tostr(X509_get_notBefore(cert)));~~ ~~strcpy(notAfter, ASN1_UTCTIME_tostr(X509_get_notAfter(cert)));~~ ~~#else~~ strcpy(notBefore, ASN1_UTCTIME_tostr(X509_getm_notBefore(cert))); strcpy(notAfter, ASN1_UTCTIME_tostr(X509_getm_notAfter(cert))); ~~#endif~~ ~~#ifndef NO_SSL_SHA~~ / SHA1 / X509_digest(cert, EVP_sha1(), sha1_hash_binary, NULL); for (int n = 0; n < SHA_DIGEST_LENGTH; n++) { sha1_hash_ascii[n2] = shachars[(sha1_hash_binary[n] & 0xF0) >> 4]; sha1_hash_ascii[n2+1] = shachars[(sha1_hash_binary[n] & 0x0F)]; } Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj("sha1_hash", -1) ); Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj(sha1_hash_ascii, SHA_DIGEST_LENGTH 2) ); /* SHA256 / X509_digest(cert, EVP_sha256(), sha256_hash_binary, NULL); for (int n = 0; n < SHA256_DIGEST_LENGTH; n++) { sha256_hash_ascii[n2] = shachars[(sha256_hash_binary[n] & 0xF0) >> 4]; sha256_hash_ascii[n2+1] = shachars[(sha256_hash_binary[n] & 0x0F)]; } Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj( "sha256_hash", -1) ); Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj( sha256_hash_ascii, SHA256_DIGEST_LENGTH 2) ); ~~#endif~~ Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj( "subject", -1) ); Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj( subject, -1) ); Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj( "issuer", -1) ); Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj( issuer, -1) ); Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj( "notBefore", -1) );
︙