Overview
| Comment: | Added session context, basic constraints, and publickeyhash status |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | status_x509 |
| Files: | files | file ages | folders |
| SHA3-256: |
4a0a74f23803fec6e431869ba3dd7a8e |
| User & Date: | bohagan on 2023-08-12 04:07:40 |
| Other Links: | branch diff | manifest | tags |
Context
|
2023-08-13
| ||
| 01:00 | Added get CA list to connection status check-in: c95df396da user: bohagan tags: status_x509 | |
|
2023-08-12
| ||
| 04:07 | Added session context, basic constraints, and publickeyhash status check-in: 4a0a74f238 user: bohagan tags: status_x509 | |
| 03:34 | Refactored X509 code to consolidate like functions, eliminate many buffers, etc Added function BIO_to_Buffer to consolidate copy BIO data to buffer. Moved get all data and certificate to end of function. check-in: a1bcda35b1 user: bohagan tags: status_x509 | |
Changes
Modified generic/tls.c from [5b3a9ccd27] to [59bf4e72f6].
| ︙ | ︙ | |||
382 383 384 385 386 387 388 389 390 391 392 393 394 395 |
if (statePtr->vcmd == (Tcl_Obj*)NULL) {
if (statePtr->vflags & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
return ok;
} else {
return 1;
}
}
/* Create command to eval */
cmdPtr = Tcl_DuplicateObj(statePtr->vcmd);
Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("verify", -1));
Tcl_ListObjAppendElement(interp, cmdPtr,
Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1));
| > > | 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 |
if (statePtr->vcmd == (Tcl_Obj*)NULL) {
if (statePtr->vflags & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
return ok;
} else {
return 1;
}
} else if (cert == NULL || ssl == NULL) {
return 0;
}
/* Create command to eval */
cmdPtr = Tcl_DuplicateObj(statePtr->vcmd);
Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("verify", -1));
Tcl_ListObjAppendElement(interp, cmdPtr,
Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1));
|
| ︙ | ︙ | |||
853 854 855 856 857 858 859 |
const unsigned char *p;
size_t len, remaining;
dprintf("Called");
if (statePtr->vcmd == (Tcl_Obj*)NULL) {
return SSL_CLIENT_HELLO_SUCCESS;
| | | 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 |
const unsigned char *p;
size_t len, remaining;
dprintf("Called");
if (statePtr->vcmd == (Tcl_Obj*)NULL) {
return SSL_CLIENT_HELLO_SUCCESS;
} else if (ssl == (const SSL *)NULL || arg == (void *)NULL) {
return SSL_CLIENT_HELLO_ERROR;
}
/* Get names */
if (!SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &p, &remaining) || remaining <= 2) {
*alert = SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER;
return SSL_CLIENT_HELLO_ERROR;
|
| ︙ | ︙ | |||
2306 2307 2308 2309 2310 2311 2312 |
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("timeout", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewLongObj(SSL_SESSION_get_timeout(session)));
/* Session ticket lifetime hint (in seconds) */
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("lifetime", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewLongObj(SSL_SESSION_get_ticket_lifetime_hint(session)));
| | > > > > > | 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 |
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("timeout", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewLongObj(SSL_SESSION_get_timeout(session)));
/* Session ticket lifetime hint (in seconds) */
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("lifetime", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewLongObj(SSL_SESSION_get_ticket_lifetime_hint(session)));
/* Session id - TLSv1.2 and below only */
session_id = SSL_SESSION_get_id(session, &ulen);
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_id", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewByteArrayObj(session_id, (int) ulen));
/* Session context */
session_id = SSL_SESSION_get0_id_context(session, &ulen);
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_context", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewByteArrayObj(session_id, (int) ulen));
/* Session ticket - client only */
SSL_SESSION_get0_ticket(session, &ticket, &len2);
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_ticket", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewByteArrayObj(ticket, (int) len2));
/* Ticket app data */
SSL_SESSION_get0_ticket_appdata(session, &ticket, &len2);
|
| ︙ | ︙ |
Modified generic/tlsX509.c from [983e365409] to [2c04105453].
| ︙ | ︙ | |||
195 196 197 198 199 200 201 202 203 204 205 206 207 208 |
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("bits", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewIntObj(bits));
key = X509_get0_pubkey_bitstr(cert);
len = String_to_Hex(key->data, key->length, buffer, BUFSIZ);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("publicKey", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len));
/* Check if cert was issued by CA cert issuer or self signed */
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("self_signed", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewBooleanObj(X509_check_issued(cert, cert) == X509_V_OK));
if (X509_digest(cert, EVP_get_digestbynid(mdnid), md, &n)) {
len = String_to_Hex(md, (int)n, buffer, BUFSIZ);
| > > > > > > > > > | 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 |
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("bits", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewIntObj(bits));
key = X509_get0_pubkey_bitstr(cert);
len = String_to_Hex(key->data, key->length, buffer, BUFSIZ);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("publicKey", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len));
if (X509_pubkey_digest(cert, EVP_get_digestbynid(pknid), md, &n)) {
len = String_to_Hex(md, (int)n, buffer, BUFSIZ);
} else {
len = 0;
}
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("publicKeyHash", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len));
/* Check if cert was issued by CA cert issuer or self signed */
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("self_signed", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewBooleanObj(X509_check_issued(cert, cert) == X509_V_OK));
if (X509_digest(cert, EVP_get_digestbynid(mdnid), md, &n)) {
len = String_to_Hex(md, (int)n, buffer, BUFSIZ);
|
| ︙ | ︙ | |||
439 440 441 442 443 444 445 |
/* Subject Directory Attributes provides identification attributes (e.g., nationality)
of the subject. RFC 5280 section 4.2.1.8 (subjectDirectoryAttributes) */
/* Basic Constraints identifies whether the subject of the cert is a CA and
the max depth of valid cert paths that include this cert.
RFC 5280 section 4.2.1.9 (basicConstraints, NID_basic_constraints) */
| | > > > > > > > | 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 |
/* Subject Directory Attributes provides identification attributes (e.g., nationality)
of the subject. RFC 5280 section 4.2.1.8 (subjectDirectoryAttributes) */
/* Basic Constraints identifies whether the subject of the cert is a CA and
the max depth of valid cert paths that include this cert.
RFC 5280 section 4.2.1.9 (basicConstraints, NID_basic_constraints) */
if (xflags & EXFLAG_BCONS) {
long len2 = X509_get_pathlen(cert);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("pathLen", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewLongObj(len2));
}
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("basicConstraintsCA", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewBooleanObj(xflags & EXFLAG_CA));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("basicConstraintsCritical", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewBooleanObj(xflags & EXFLAG_CRITICAL));
/* Name Constraints is only used in CA certs to indicate a name space within
which all subject names in subsequent certificates in a certification path
MUST be located. RFC 5280 section 4.2.1.10, NID_name_constraints */
/* Policy Constraints is only used in CA certs to limit the length of a
cert chain that may be issued from that CA. RFC 5280 section 4.2.1.11, NID_policy_constraints */
|
| ︙ | ︙ |