Check-in [952ef184e6]
Bounty program for improvements to Tcl and certain Tcl packages.
Overview
Comment:Updated to support cert/certfile independantly of key/keyfile
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | mjanssen-asn1-certs
Files: files | file ages | folders
SHA3-256: 952ef184e63a5bc435c88c923a5226e110a3e41c875753a029f2870994efd4dc
User & Date: rkeene on 2020-05-04 15:02:04
Other Links: branch diff | manifest | tags
Context
2020-05-04
15:09
Only load private key if we loaded a non-default certificate Closed-Leaf check-in: 51a2b1ec9a user: rkeene tags: mjanssen-asn1-certs
15:02
Updated to support cert/certfile independantly of key/keyfile check-in: 952ef184e6 user: rkeene tags: mjanssen-asn1-certs
14:57
Corrected wrong use of "key" check-in: f3a497fc67 user: rkeene tags: mjanssen-asn1-certs
Changes

Modified tls.c from [f5c55ed5c6] to [e32cfd6f1e].

  1274   1274   	    Tcl_DStringFree(&ds);
  1275   1275   	    Tcl_AppendResult(interp,
  1276   1276   			     "unable to set certificate file ", certfile, ": ",
  1277   1277   			     REASON(), (char *) NULL);
  1278   1278   	    SSL_CTX_free(ctx);
  1279   1279   	    return (SSL_CTX *)0;
  1280   1280   	}
         1281  +    } else if (cert != NULL) {
         1282  +	if (SSL_CTX_use_certificate_ASN1(ctx, cert_len, cert) <= 0) {
         1283  +	    Tcl_DStringFree(&ds);
         1284  +	    Tcl_AppendResult(interp,
         1285  +			     "unable to set certificate: ",
         1286  +			     REASON(), (char *) NULL);
         1287  +	    SSL_CTX_free(ctx);
         1288  +	    return (SSL_CTX *)0;
         1289  +	}
         1290  +    } else {
         1291  +	certfile = (char*)X509_get_default_cert_file();
  1281   1292   
         1293  +	if (SSL_CTX_use_certificate_file(ctx, certfile,
         1294  +					SSL_FILETYPE_PEM) <= 0) {
         1295  +#if 0
         1296  +	    Tcl_DStringFree(&ds);
         1297  +	    Tcl_AppendResult(interp,
         1298  +			     "unable to use default certificate file ", certfile, ": ",
         1299  +			     REASON(), (char *) NULL);
         1300  +	    SSL_CTX_free(ctx);
         1301  +	    return (SSL_CTX *)0;
         1302  +#endif
         1303  +	}
         1304  +    }
         1305  +
         1306  +    /* set our private key */
         1307  +    if (keyfile == NULL && key == NULL) {
         1308  +	keyfile = certfile;
         1309  +    }
         1310  +
         1311  +    if (keyfile != NULL) {
  1282   1312   	/* get the private key associated with this certificate */
  1283   1313   	if (keyfile == NULL) {
  1284   1314   	    keyfile = certfile;
  1285   1315   	}
  1286   1316   
  1287   1317   	if (SSL_CTX_use_PrivateKey_file(ctx, F2N( keyfile, &ds),
  1288   1318   					SSL_FILETYPE_PEM) <= 0) {
................................................................................
  1301   1331   	if (!SSL_CTX_check_private_key(ctx)) {
  1302   1332   	    Tcl_AppendResult(interp,
  1303   1333   			     "private key does not match the certificate public key",
  1304   1334   			     (char *) NULL);
  1305   1335   	    SSL_CTX_free(ctx);
  1306   1336   	    return (SSL_CTX *)0;
  1307   1337   	}
  1308         -    } else if (cert != NULL) {
  1309         -	if (SSL_CTX_use_certificate_ASN1(ctx, cert_len, cert) <= 0) {
  1310         -	    Tcl_DStringFree(&ds);
  1311         -	    Tcl_AppendResult(interp,
  1312         -			     "unable to set certificate: ",
  1313         -			     REASON(), (char *) NULL);
  1314         -	    SSL_CTX_free(ctx);
  1315         -	    return (SSL_CTX *)0;
  1316         -	}
  1317         -	if (key == NULL) {
  1318         -	    key = cert;
  1319         -	    key_len = cert_len;
  1320         -	}
         1338  +    } else if (key != NULL) {
  1321   1339   	if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, ctx, key,key_len) <= 0) {
  1322   1340   	    Tcl_DStringFree(&ds);
  1323   1341   	    /* flush the passphrase which might be left in the result */
  1324   1342   	    Tcl_SetResult(interp, NULL, TCL_STATIC);
  1325   1343   	    Tcl_AppendResult(interp,
  1326   1344   			     "unable to set public key: ",
  1327   1345   			     REASON(), (char *) NULL);
  1328   1346   	    SSL_CTX_free(ctx);
  1329   1347   	    return (SSL_CTX *)0;
  1330   1348   	}
  1331         -    } else {
  1332         -	certfile = (char*)X509_get_default_cert_file();
         1349  +    }
  1333   1350   
  1334         -	if (SSL_CTX_use_certificate_file(ctx, certfile,
  1335         -					SSL_FILETYPE_PEM) <= 0) {
  1336         -#if 0
  1337         -	    Tcl_DStringFree(&ds);
  1338         -	    Tcl_AppendResult(interp,
  1339         -			     "unable to use default certificate file ", certfile, ": ",
  1340         -			     REASON(), (char *) NULL);
  1341         -	    SSL_CTX_free(ctx);
  1342         -	    return (SSL_CTX *)0;
  1343         -#endif
  1344         -	}
  1345         -    }
  1346         -	
         1351  +    /* Set verification CAs */
  1347   1352       Tcl_DStringInit(&ds);
  1348   1353       Tcl_DStringInit(&ds1);
  1349   1354       if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CAdir, &ds1)) ||
  1350   1355   	!SSL_CTX_set_default_verify_paths(ctx)) {
  1351   1356   #if 0
  1352   1357   	Tcl_DStringFree(&ds);
  1353   1358   	Tcl_DStringFree(&ds1);
................................................................................
  1356   1361   		REASON(), (char *) NULL);
  1357   1362   	SSL_CTX_free(ctx);
  1358   1363   	return (SSL_CTX *)0;
  1359   1364   #endif
  1360   1365       }
  1361   1366   
  1362   1367       /* https://sourceforge.net/p/tls/bugs/57/ */
         1368  +    /* XXX:TODO: Let the user supply values here instead of something that exists on the filesystem */
  1363   1369       if ( CAfile != NULL ) {
  1364   1370           STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file( F2N(CAfile, &ds) );
  1365   1371   	if ( certNames != NULL ) { 
  1366   1372   	    SSL_CTX_set_client_CA_list(ctx, certNames );
  1367   1373   	}
  1368   1374       }
  1369   1375