Index: Makefile.in
==================================================================
--- Makefile.in
+++ Makefile.in
@@ -7,10 +7,11 @@
 LIBS = @LIBS@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 prefix = @prefix@
 exec_prefix = @exec_prefix@
 libdir = @libdir@
+genericdir = @srcdir@/generic
 TCL_PACKAGE_PATH = @TCL_PACKAGE_PATH@
 PACKAGE_INSTALL_DIR = $(TCL_PACKAGE_PATH)/tcltls$(PACKAGE_VERSION)
 INSTALL = @INSTALL@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_DATA = @INSTALL_DATA@
@@ -31,21 +32,21 @@
 static-@EXTENSION_TARGET@: tls.o tlsBIO.o tlsIO.o tlsX509.o Makefile
 	$(AR) rcu static-@EXTENSION_TARGET@ tls.o tlsBIO.o tlsIO.o tlsX509.o
 	-$(RANLIB) static-@EXTENSION_TARGET@
 
 # Dependencies for all our targets
-tls.o: @srcdir@/tls.c @srcdir@/tlsInt.h @srcdir@/tclOpts.h tls.tcl.h dh_params.h Makefile
-	$(CC) $(CPPFLAGS) $(CFLAGS) -o tls.o -c @srcdir@/tls.c
-
-tlsBIO.o: @srcdir@/tlsBIO.c @srcdir@/tlsInt.h Makefile
-	$(CC) $(CPPFLAGS) $(CFLAGS) -o tlsBIO.o -c @srcdir@/tlsBIO.c
-
-tlsIO.o: @srcdir@/tlsIO.c @srcdir@/tlsInt.h Makefile
-	$(CC) $(CPPFLAGS) $(CFLAGS) -o tlsIO.o -c @srcdir@/tlsIO.c
-
-tlsX509.o: @srcdir@/tlsX509.c @srcdir@/tlsInt.h Makefile
-	$(CC) $(CPPFLAGS) $(CFLAGS) -o tlsX509.o -c @srcdir@/tlsX509.c
+tls.o: $(genericdir)/tls.c $(genericdir)/tlsInt.h $(genericdir)/tclOpts.h tls.tcl.h dh_params.h Makefile
+	$(CC) $(CPPFLAGS) $(CFLAGS) -o tls.o -c $(genericdir)/tls.c
+
+tlsBIO.o: $(genericdir)/tlsBIO.c $(genericdir)/tlsInt.h Makefile
+	$(CC) $(CPPFLAGS) $(CFLAGS) -o tlsBIO.o -c $(genericdir)/tlsBIO.c
+
+tlsIO.o: $(genericdir)/tlsIO.c $(genericdir)/tlsInt.h Makefile
+	$(CC) $(CPPFLAGS) $(CFLAGS) -o tlsIO.o -c $(genericdir)/tlsIO.c
+
+tlsX509.o: $(genericdir)/tlsX509.c $(genericdir)/tlsInt.h Makefile
+	$(CC) $(CPPFLAGS) $(CFLAGS) -o tlsX509.o -c $(genericdir)/tlsX509.c
 
 # Create a C-source-ified version of the script resources
 # for TclTLS so that we only need a single file to enable
 # this extension
 tls.tcl.h: @srcdir@/tls.tcl Makefile

ADDED   generic/tclOpts.h
Index: generic/tclOpts.h
==================================================================
--- /dev/null
+++ generic/tclOpts.h
@@ -0,0 +1,58 @@
+/*
+ *  Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com>
+ *
+ * Stylized option processing - requires consitent
+ * external vars: opt, idx, objc, objv
+ */
+#ifndef _TCL_OPTS_H
+#define _TCL_OPTS_H
+
+#define OPT_PROLOG(option)			\
+    if (strcmp(opt, (option)) == 0) {		\
+	if (++idx >= objc) {			\
+	    Tcl_AppendResult(interp,		\
+		"no argument given for ",	\
+		(option), " option",		\
+		(char *) NULL);			\
+	    return TCL_ERROR;			\
+	}
+#define OPT_POSTLOG()				\
+	continue;				\
+    }
+#define OPTOBJ(option, var)			\
+    OPT_PROLOG(option)				\
+    var = objv[idx];				\
+    OPT_POSTLOG()
+
+#define OPTSTR(option, var)			\
+    OPT_PROLOG(option)				\
+    var = Tcl_GetString(objv[idx]);\
+    OPT_POSTLOG()
+
+#define OPTINT(option, var)			\
+    OPT_PROLOG(option)				\
+    if (Tcl_GetIntFromObj(interp, objv[idx],	\
+	    &(var)) != TCL_OK) {		\
+	    return TCL_ERROR;			\
+    }						\
+    OPT_POSTLOG()
+
+#define OPTBOOL(option, var)			\
+    OPT_PROLOG(option)				\
+    if (Tcl_GetBooleanFromObj(interp, objv[idx],\
+	    &(var)) != TCL_OK) {		\
+	    return TCL_ERROR;			\
+    }						\
+    OPT_POSTLOG()
+
+#define OPTBYTE(option, var, lvar)			\
+    OPT_PROLOG(option)				\
+    var = Tcl_GetByteArrayFromObj(objv[idx], &(lvar));\
+    OPT_POSTLOG()
+
+#define OPTBAD(type, list)			\
+    Tcl_AppendResult(interp, "bad ", (type),	\
+		" \"", opt, "\": must be ",	\
+		(list), (char *) NULL)
+
+#endif /* _TCL_OPTS_H */

ADDED   generic/tls.c
Index: generic/tls.c
==================================================================
--- /dev/null
+++ generic/tls.c
@@ -0,0 +1,1947 @@
+/*
+ * Copyright (C) 1997-1999 Matt Newman <matt@novadigm.com>
+ * some modifications:
+ *	Copyright (C) 2000 Ajuba Solutions
+ *	Copyright (C) 2002 ActiveState Corporation
+ *	Copyright (C) 2004 Starfish Systems
+ *
+ * TLS (aka SSL) Channel - can be layered on any bi-directional
+ * Tcl_Channel (Note: Requires Trf Core Patch)
+ *
+ * This was built (almost) from scratch based upon observation of
+ * OpenSSL 0.9.2B
+ *
+ * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for
+ * providing the Tcl_ReplaceChannel mechanism and working closely with me
+ * to enhance it to support full fileevent semantics.
+ *
+ * Also work done by the follow people provided the impetus to do this "right":
+ *	tclSSL (Colin McCormack, Shared Technology)
+ *	SSLtcl (Peter Antman)
+ *
+ */
+
+#include "tlsInt.h"
+#include "tclOpts.h"
+#include <stdlib.h>
+
+/*
+ * External functions
+ */
+
+/*
+ * Forward declarations
+ */
+
+#define F2N( key, dsp) \
+	(((key) == NULL) ? (char *) NULL : \
+		Tcl_TranslateFileName(interp, (key), (dsp)))
+#define REASON()	ERR_reason_error_string(ERR_get_error())
+
+static void	InfoCallback(const SSL *ssl, int where, int ret);
+
+static Tcl_ObjCmdProc CiphersObjCmd;
+static Tcl_ObjCmdProc HandshakeObjCmd;
+static Tcl_ObjCmdProc ImportObjCmd;
+static Tcl_ObjCmdProc StatusObjCmd;
+static Tcl_ObjCmdProc VersionObjCmd;
+static Tcl_ObjCmdProc MiscObjCmd;
+static Tcl_ObjCmdProc UnimportObjCmd;
+
+static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key,
+			char *certfile, unsigned char *key_asn1, unsigned char *cert_asn1,
+			int key_asn1_len, int cert_asn1_len, char *CAdir, char *CAfile,
+      char *ciphers, char *DHparams);
+
+static int	TlsLibInit(int uninitialize);
+
+#define TLS_PROTO_SSL2		0x01
+#define TLS_PROTO_SSL3		0x02
+#define TLS_PROTO_TLS1		0x04
+#define TLS_PROTO_TLS1_1	0x08
+#define TLS_PROTO_TLS1_2	0x10
+#define TLS_PROTO_TLS1_3	0x20
+#define ENABLED(flag, mask)	(((flag) & (mask)) == (mask))
+
+/*
+ * Static data structures
+ */
+
+#ifndef OPENSSL_NO_DH
+#include "dh_params.h"
+#endif
+
+/*
+ * We lose the tcl password callback when we use the RSA BSAFE SSL-C 1.1.2
+ * libraries instead of the current OpenSSL libraries.
+ */
+
+#ifdef BSAFE
+#define PRE_OPENSSL_0_9_4 1
+#endif
+
+/*
+ * Pre OpenSSL 0.9.4 Compat
+ */
+
+#ifndef STACK_OF
+#define STACK_OF(x)			STACK
+#define sk_SSL_CIPHER_num(sk)		sk_num((sk))
+#define sk_SSL_CIPHER_value( sk, index)	(SSL_CIPHER*)sk_value((sk), (index))
+#endif
+
+/*
+ * Thread-Safe TLS Code
+ */
+
+#ifdef TCL_THREADS
+#define OPENSSL_THREAD_DEFINES
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_THREADS
+#include <openssl/crypto.h>
+
+/*
+ * Threaded operation requires locking callbacks
+ * Based from /crypto/cryptlib.c of OpenSSL and NSOpenSSL.
+ */
+
+static Tcl_Mutex *locks = NULL;
+static int locksCount = 0;
+static Tcl_Mutex init_mx;
+
+void CryptoThreadLockCallback(int mode, int n, const char *file, int line) {
+
+	if (mode & CRYPTO_LOCK) {
+		/* This debugging is turned off by default -- it's too noisy. */
+		/* dprintf("Called to lock (n=%i of %i)", n, locksCount); */
+		Tcl_MutexLock(&locks[n]);
+	} else {
+		/* dprintf("Called to unlock (n=%i of %i)", n, locksCount); */
+		Tcl_MutexUnlock(&locks[n]);
+	}
+
+	/* dprintf("Returning"); */
+
+	return;
+	file = file;
+	line = line;
+}
+
+unsigned long CryptoThreadIdCallback(void) {
+	unsigned long ret;
+
+	dprintf("Called");
+
+	ret = (unsigned long) Tcl_GetCurrentThread();
+
+	dprintf("Returning %lu", ret);
+
+	return(ret);
+}
+#endif /* OPENSSL_THREADS */
+#endif /* TCL_THREADS */
+
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * InfoCallback --
+ *
+ *	monitors SSL connection process
+ *
+ * Results:
+ *	None
+ *
+ * Side effects:
+ *	Calls callback (if defined)
+ *-------------------------------------------------------------------
+ */
+static void
+InfoCallback(const SSL *ssl, int where, int ret)
+{
+    State *statePtr = (State*)SSL_get_app_data((SSL *)ssl);
+    Tcl_Obj *cmdPtr;
+    const char *major, *minor;
+
+    dprintf("Called");
+
+    if (statePtr->callback == (Tcl_Obj*)NULL)
+	return;
+
+    cmdPtr = Tcl_DuplicateObj(statePtr->callback);
+
+#if 0
+    if (where & SSL_CB_ALERT) {
+	sev = SSL_alert_type_string_long(ret);
+	if (strcmp( sev, "fatal")==0) {	/* Map to error */
+	    Tls_Error(statePtr, SSL_ERROR(ssl, 0));
+	    return;
+	}
+    }
+#endif
+    if (where & SSL_CB_HANDSHAKE_START) {
+	major = "handshake";
+	minor = "start";
+    } else if (where & SSL_CB_HANDSHAKE_DONE) {
+	major = "handshake";
+	minor = "done";
+    } else {
+	if (where & SSL_CB_ALERT)		major = "alert";
+	else if (where & SSL_ST_CONNECT)	major = "connect";
+	else if (where & SSL_ST_ACCEPT)		major = "accept";
+	else					major = "unknown";
+
+	if (where & SSL_CB_READ)		minor = "read";
+	else if (where & SSL_CB_WRITE)		minor = "write";
+	else if (where & SSL_CB_LOOP)		minor = "loop";
+	else if (where & SSL_CB_EXIT)		minor = "exit";
+	else					minor = "unknown";
+    }
+
+    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
+	    Tcl_NewStringObj( "info", -1));
+
+    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
+	    Tcl_NewStringObj( Tcl_GetChannelName(statePtr->self), -1) );
+
+    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
+	    Tcl_NewStringObj( major, -1) );
+
+    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
+	    Tcl_NewStringObj( minor, -1) );
+
+    if (where & (SSL_CB_LOOP|SSL_CB_EXIT)) {
+	Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
+	    Tcl_NewStringObj( SSL_state_string_long(ssl), -1) );
+    } else if (where & SSL_CB_ALERT) {
+	const char *cp = (char *) SSL_alert_desc_string_long(ret);
+
+	Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
+	    Tcl_NewStringObj( cp, -1) );
+    } else {
+	Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
+	    Tcl_NewStringObj( SSL_state_string_long(ssl), -1) );
+    }
+    Tcl_Preserve( (ClientData) statePtr->interp);
+    Tcl_Preserve( (ClientData) statePtr);
+
+    Tcl_IncrRefCount( cmdPtr);
+    (void) Tcl_EvalObjEx(statePtr->interp, cmdPtr, TCL_EVAL_GLOBAL);
+    Tcl_DecrRefCount( cmdPtr);
+
+    Tcl_Release( (ClientData) statePtr);
+    Tcl_Release( (ClientData) statePtr->interp);
+
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * VerifyCallback --
+ *
+ *	Monitors SSL certificate validation process.
+ *	This is called whenever a certificate is inspected
+ *	or decided invalid.
+ *
+ * Results:
+ *	A callback bound to the socket may return one of:
+ *	    0			- the certificate is deemed invalid
+ *	    1			- the certificate is deemed valid
+ *	    empty string	- no change to certificate validation
+ *
+ * Side effects:
+ *	The err field of the currently operative State is set
+ *	  to a string describing the SSL negotiation failure reason
+ *-------------------------------------------------------------------
+ */
+static int
+VerifyCallback(int ok, X509_STORE_CTX *ctx)
+{
+    Tcl_Obj *cmdPtr, *result;
+    char *errStr, *string;
+    Tcl_Size length;
+    SSL   *ssl		= (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+    X509  *cert		= X509_STORE_CTX_get_current_cert(ctx);
+    State *statePtr	= (State*)SSL_get_app_data(ssl);
+    int depth		= X509_STORE_CTX_get_error_depth(ctx);
+    int err		= X509_STORE_CTX_get_error(ctx);
+
+    dprintf("Verify: %d", ok);
+
+    if (!ok) {
+	errStr = (char*)X509_verify_cert_error_string(err);
+    } else {
+	errStr = (char *)0;
+    }
+
+    if (statePtr->callback == (Tcl_Obj*)NULL) {
+	if (statePtr->vflags & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
+	    return ok;
+	} else {
+	    return 1;
+	}
+    }
+    cmdPtr = Tcl_DuplicateObj(statePtr->callback);
+
+    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
+	    Tcl_NewStringObj( "verify", -1));
+
+    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
+	    Tcl_NewStringObj( Tcl_GetChannelName(statePtr->self), -1) );
+
+    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
+	    Tcl_NewIntObj( depth) );
+
+    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
+	    Tls_NewX509Obj( statePtr->interp, cert) );
+
+    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
+	    Tcl_NewIntObj( ok) );
+
+    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
+	    Tcl_NewStringObj( errStr ? errStr : "", -1) );
+
+    Tcl_Preserve( (ClientData) statePtr->interp);
+    Tcl_Preserve( (ClientData) statePtr);
+
+    statePtr->flags |= TLS_TCL_CALLBACK;
+
+    Tcl_IncrRefCount( cmdPtr);
+    if (Tcl_EvalObjEx(statePtr->interp, cmdPtr, TCL_EVAL_GLOBAL) != TCL_OK) {
+	/* It got an error - reject the certificate.		*/
+	Tcl_BackgroundError( statePtr->interp);
+	ok = 0;
+    } else {
+	result = Tcl_GetObjResult(statePtr->interp);
+	string = Tcl_GetStringFromObj(result, &length);
+	/* An empty result leaves verification unchanged.	*/
+	if (string != NULL && length > 0) {
+	    if (Tcl_GetIntFromObj(statePtr->interp, result, &ok) != TCL_OK) {
+		Tcl_BackgroundError(statePtr->interp);
+		ok = 0;
+	    }
+	}
+    }
+    Tcl_DecrRefCount( cmdPtr);
+
+    statePtr->flags &= ~(TLS_TCL_CALLBACK);
+
+    Tcl_Release( (ClientData) statePtr);
+    Tcl_Release( (ClientData) statePtr->interp);
+
+    return(ok);	/* By default, leave verification unchanged.	*/
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * Tls_Error --
+ *
+ *	Calls callback with $fd and $msg - so the callback can decide
+ *	what to do with errors.
+ *
+ * Side effects:
+ *	The err field of the currently operative State is set
+ *	  to a string describing the SSL negotiation failure reason
+ *-------------------------------------------------------------------
+ */
+void
+Tls_Error(State *statePtr, char *msg)
+{
+    Tcl_Obj *cmdPtr;
+
+    dprintf("Called");
+
+    if (msg && *msg) {
+	Tcl_SetErrorCode(statePtr->interp, "SSL", msg, (char *)NULL);
+    } else {
+	msg = Tcl_GetString(Tcl_GetObjResult(statePtr->interp));
+    }
+    statePtr->err = msg;
+
+    if (statePtr->callback == (Tcl_Obj*)NULL) {
+	char buf[BUFSIZ];
+	sprintf(buf, "SSL channel \"%s\": error: %s",
+	    Tcl_GetChannelName(statePtr->self), msg);
+	Tcl_SetResult( statePtr->interp, buf, TCL_VOLATILE);
+	Tcl_BackgroundError( statePtr->interp);
+	return;
+    }
+    cmdPtr = Tcl_DuplicateObj(statePtr->callback);
+
+    Tcl_ListObjAppendElement(statePtr->interp, cmdPtr,
+	    Tcl_NewStringObj("error", -1));
+
+    Tcl_ListObjAppendElement(statePtr->interp, cmdPtr,
+	    Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1));
+
+    Tcl_ListObjAppendElement(statePtr->interp, cmdPtr,
+	    Tcl_NewStringObj(msg, -1));
+
+    Tcl_Preserve((ClientData) statePtr->interp);
+    Tcl_Preserve((ClientData) statePtr);
+
+    Tcl_IncrRefCount(cmdPtr);
+    if (Tcl_EvalObjEx(statePtr->interp, cmdPtr, TCL_EVAL_GLOBAL) != TCL_OK) {
+	Tcl_BackgroundError(statePtr->interp);
+    }
+    Tcl_DecrRefCount(cmdPtr);
+
+    Tcl_Release((ClientData) statePtr);
+    Tcl_Release((ClientData) statePtr->interp);
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * PasswordCallback --
+ *
+ *	Called when a password is needed to unpack RSA and PEM keys.
+ *	Evals any bound password script and returns the result as
+ *	the password string.
+ *-------------------------------------------------------------------
+ */
+#ifdef PRE_OPENSSL_0_9_4
+/*
+ * No way to handle user-data therefore no way without a global
+ * variable to access the Tcl interpreter.
+*/
+static int
+PasswordCallback(char *buf, int size, int verify)
+{
+    return -1;
+    	buf = buf;
+	size = size;
+	verify = verify;
+}
+#else
+static int
+PasswordCallback(char *buf, int size, int verify, void *udata)
+{
+    State *statePtr	= (State *) udata;
+    Tcl_Interp *interp	= statePtr->interp;
+    Tcl_Obj *cmdPtr;
+    int result;
+
+    dprintf("Called");
+
+    if (statePtr->password == NULL) {
+	if (Tcl_EvalEx(interp, "tls::password", -1, TCL_EVAL_GLOBAL)
+		== TCL_OK) {
+	    char *ret = (char *) Tcl_GetStringResult(interp);
+	    strncpy(buf, ret, (size_t) size);
+	    return (int)strlen(ret);
+	} else {
+	    return -1;
+	}
+    }
+
+    cmdPtr = Tcl_DuplicateObj(statePtr->password);
+
+    Tcl_Preserve((ClientData) statePtr->interp);
+    Tcl_Preserve((ClientData) statePtr);
+
+    Tcl_IncrRefCount(cmdPtr);
+    result = Tcl_EvalObjEx(interp, cmdPtr, TCL_EVAL_GLOBAL);
+    if (result != TCL_OK) {
+	Tcl_BackgroundError(statePtr->interp);
+    }
+    Tcl_DecrRefCount(cmdPtr);
+
+    Tcl_Release((ClientData) statePtr);
+    Tcl_Release((ClientData) statePtr->interp);
+
+    if (result == TCL_OK) {
+	char *ret = (char *) Tcl_GetStringResult(interp);
+	strncpy(buf, ret, (size_t) size);
+	return (int)strlen(ret);
+    } else {
+	return -1;
+    }
+    	verify = verify;
+}
+#endif
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * CiphersObjCmd -- list available ciphers
+ *
+ *	This procedure is invoked to process the "tls::ciphers" command
+ *	to list available ciphers, based upon protocol selected.
+ *
+ * Results:
+ *	A standard Tcl result list.
+ *
+ * Side effects:
+ *	constructs and destroys SSL context (CTX)
+ *
+ *-------------------------------------------------------------------
+ */
+static int
+CiphersObjCmd(
+    TCL_UNUSED(void *),
+    Tcl_Interp *interp,
+    int objc,
+    Tcl_Obj	*const objv[])
+{
+    static const char *protocols[] = {
+	"ssl2",	"ssl3",	"tls1",	"tls1.1", "tls1.2", "tls1.3", NULL
+    };
+    enum protocol {
+	TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_TLS1_3, TLS_NONE
+    };
+    Tcl_Obj *objPtr;
+    SSL_CTX *ctx = NULL;
+    SSL *ssl = NULL;
+    STACK_OF(SSL_CIPHER) *sk;
+    char *cp, buf[BUFSIZ];
+    int index, verbose = 0;
+
+    dprintf("Called");
+
+    if (objc < 2 || objc > 3) {
+	Tcl_WrongNumArgs(interp, 1, objv, "protocol ?verbose?");
+	return TCL_ERROR;
+    }
+    if (Tcl_GetIndexFromObj( interp, objv[1], protocols, "protocol", 0,
+	&index) != TCL_OK) {
+	return TCL_ERROR;
+    }
+    if (objc > 2 && Tcl_GetBooleanFromObj( interp, objv[2],
+	&verbose) != TCL_OK) {
+	return TCL_ERROR;
+    }
+    switch ((enum protocol)index) {
+    case TLS_SSL2:
+#if defined(NO_SSL2)
+		Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
+		return TCL_ERROR;
+#else
+		ctx = SSL_CTX_new(SSLv2_method()); break;
+#endif
+    case TLS_SSL3:
+#if defined(NO_SSL3)
+		Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
+		return TCL_ERROR;
+#else
+		ctx = SSL_CTX_new(SSLv3_method()); break;
+#endif
+    case TLS_TLS1:
+#if defined(NO_TLS1)
+		Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
+		return TCL_ERROR;
+#else
+		ctx = SSL_CTX_new(TLSv1_method()); break;
+#endif
+    case TLS_TLS1_1:
+#if defined(NO_TLS1_1)
+		Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
+		return TCL_ERROR;
+#else
+		ctx = SSL_CTX_new(TLSv1_1_method()); break;
+#endif
+    case TLS_TLS1_2:
+#if defined(NO_TLS1_2)
+		Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
+		return TCL_ERROR;
+#else
+		ctx = SSL_CTX_new(TLSv1_2_method()); break;
+#endif
+    case TLS_TLS1_3:
+#if defined(NO_TLS1_3)
+		Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
+		return TCL_ERROR;
+#else
+		ctx = SSL_CTX_new(TLS_method()); break;
+                SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION);
+                SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION);
+#endif
+    default:
+		break;
+    }
+    if (ctx == NULL) {
+	Tcl_AppendResult(interp, REASON(), (char *) NULL);
+	return TCL_ERROR;
+    }
+    ssl = SSL_new(ctx);
+    if (ssl == NULL) {
+	Tcl_AppendResult(interp, REASON(), (char *) NULL);
+	SSL_CTX_free(ctx);
+	return TCL_ERROR;
+    }
+    objPtr = Tcl_NewListObj( 0, NULL);
+
+    if (!verbose) {
+	for (index = 0; ; index++) {
+	    cp = (char*)SSL_get_cipher_list( ssl, index);
+	    if (cp == NULL) break;
+	    Tcl_ListObjAppendElement( interp, objPtr,
+		Tcl_NewStringObj( cp, -1) );
+	}
+    } else {
+	sk = SSL_get_ciphers(ssl);
+
+	for (index = 0; index < sk_SSL_CIPHER_num(sk); index++) {
+	    size_t i;
+	    SSL_CIPHER_description( sk_SSL_CIPHER_value( sk, index),
+				    buf, sizeof(buf));
+	    for (i = strlen(buf) - 1; i ; i--) {
+		if (buf[i] == ' ' || buf[i] == '\n' ||
+		    buf[i] == '\r' || buf[i] == '\t') {
+		    buf[i] = '\0';
+		} else {
+		    break;
+		}
+	    }
+	    Tcl_ListObjAppendElement( interp, objPtr,
+		Tcl_NewStringObj( buf, -1) );
+	}
+    }
+    SSL_free(ssl);
+    SSL_CTX_free(ctx);
+
+    Tcl_SetObjResult( interp, objPtr);
+    return TCL_OK;
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * HandshakeObjCmd --
+ *
+ *	This command is used to verify whether the handshake is complete
+ *	or not.
+ *
+ * Results:
+ *	A standard Tcl result. 1 means handshake complete, 0 means pending.
+ *
+ * Side effects:
+ *	May force SSL negotiation to take place.
+ *
+ *-------------------------------------------------------------------
+ */
+
+static int HandshakeObjCmd(
+    TCL_UNUSED(void *),
+    Tcl_Interp *interp,
+    int objc,
+    Tcl_Obj *const objv[])
+{
+	Tcl_Channel chan;		/* The channel to set a mode on. */
+	State *statePtr;		/* client state for ssl socket */
+	const char *errStr = NULL;
+	int ret = 1;
+	int err = 0;
+
+	dprintf("Called");
+
+	if (objc != 2) {
+		Tcl_WrongNumArgs(interp, 1, objv, "channel");
+		return(TCL_ERROR);
+	}
+
+	chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL);
+	if (chan == (Tcl_Channel) NULL) {
+		return(TCL_ERROR);
+	}
+
+	/*
+	 * Make sure to operate on the topmost channel
+	 */
+	chan = Tcl_GetTopChannel(chan);
+	if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
+		Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), "\": not a TLS channel", (char *)NULL);
+		return(TCL_ERROR);
+	}
+	statePtr = (State *)Tcl_GetChannelInstanceData(chan);
+
+	dprintf("Calling Tls_WaitForConnect");
+	ret = Tls_WaitForConnect(statePtr, &err, 1);
+	dprintf("Tls_WaitForConnect returned: %i", ret);
+
+	if (
+	    ret < 0 && \
+	    ((statePtr->flags & TLS_TCL_ASYNC) && err == EAGAIN)
+	) {
+		dprintf("Async set and err = EAGAIN");
+		ret = 0;
+	} else if (ret < 0) {
+		errStr = statePtr->err;
+		Tcl_ResetResult(interp);
+		Tcl_SetErrno(err);
+
+		if (!errStr || *errStr == 0) {
+			errStr = Tcl_PosixError(interp);
+		}
+
+		Tcl_AppendResult(interp, "handshake failed: ", errStr, (char *) NULL);
+		dprintf("Returning TCL_ERROR with handshake failed: %s", errStr);
+		return(TCL_ERROR);
+	} else {
+		if (err != 0) {
+			dprintf("Got an error with a completed handshake: err = %i", err);
+		}
+
+		ret = 1;
+	}
+
+	dprintf("Returning TCL_OK with data \"%i\"", ret);
+	Tcl_SetObjResult(interp, Tcl_NewIntObj(ret));
+	return(TCL_OK);
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * ImportObjCmd --
+ *
+ *	This procedure is invoked to process the "ssl" command
+ *
+ *	The ssl command pushes SSL over a (newly connected) tcp socket
+ *
+ * Results:
+ *	A standard Tcl result.
+ *
+ * Side effects:
+ *	May modify the behavior of an IO channel.
+ *
+ *-------------------------------------------------------------------
+ */
+
+static int
+ImportObjCmd(
+    TCL_UNUSED(void *),
+    Tcl_Interp *interp,
+    int objc,
+    Tcl_Obj *const objv[])
+{
+    Tcl_Channel chan;		/* The channel to set a mode on. */
+    State *statePtr;		/* client state for ssl socket */
+    SSL_CTX *ctx	        = NULL;
+    Tcl_Obj *script	        = NULL;
+    Tcl_Obj *password	        = NULL;
+    Tcl_DString upperChannelTranslation, upperChannelBlocking, upperChannelEncoding, upperChannelEOFChar;
+    int idx;
+    Tcl_Size len;
+    int flags		        = TLS_TCL_INIT;
+    int server		        = 0;	/* is connection incoming or outgoing? */
+    char *keyfile	        = NULL;
+    char *certfile	        = NULL;
+    unsigned char *key  	= NULL;
+    Tcl_Size key_len        = 0;
+    unsigned char *cert     = NULL;
+    Tcl_Size cert_len       = 0;
+    char *ciphers	        = NULL;
+    char *CAfile	        = NULL;
+    char *CAdir		        = NULL;
+    char *DHparams	        = NULL;
+    char *model		        = NULL;
+#ifndef OPENSSL_NO_TLSEXT
+    char *servername	        = NULL;	/* hostname for Server Name Indication */
+#endif
+    int ssl2 = 0, ssl3 = 0;
+    int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1;
+    int proto = 0;
+    int verify = 0, require = 0, request = 1;
+
+    dprintf("Called");
+
+#if defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_SSL3) && !defined(NO_SSL2)
+    ssl2 = 1;
+#endif
+#if defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_SSL2) && !defined(NO_SSL3)
+    ssl3 = 1;
+#endif
+#if defined(NO_TLS1)
+    tls1 = 0;
+#endif
+#if defined(NO_TLS1_1)
+    tls1_1 = 0;
+#endif
+#if defined(NO_TLS1_2)
+    tls1_2 = 0;
+#endif
+#if defined(NO_TLS1_3)
+    tls1_3 = 0;
+#endif
+
+    if (objc < 2) {
+	Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?");
+	return TCL_ERROR;
+    }
+
+    chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL);
+    if (chan == (Tcl_Channel) NULL) {
+	return TCL_ERROR;
+    }
+
+    /*
+     * Make sure to operate on the topmost channel
+     */
+    chan = Tcl_GetTopChannel(chan);
+
+    for (idx = 2; idx < objc; idx++) {
+	char *opt = Tcl_GetString(objv[idx]);
+
+	if (opt[0] != '-')
+	    break;
+
+	OPTSTR( "-cadir", CAdir);
+	OPTSTR( "-cafile", CAfile);
+	OPTSTR( "-certfile", certfile);
+	OPTSTR( "-cipher", ciphers);
+	OPTOBJ( "-command", script);
+	OPTSTR( "-dhparams", DHparams);
+	OPTSTR( "-keyfile", keyfile);
+	OPTSTR( "-model", model);
+	OPTOBJ( "-password", password);
+	OPTBOOL( "-require", require);
+	OPTBOOL( "-request", request);
+	OPTBOOL( "-server", server);
+#ifndef OPENSSL_NO_TLSEXT
+        OPTSTR( "-servername", servername);
+#endif
+
+	OPTBOOL( "-ssl2", ssl2);
+	OPTBOOL( "-ssl3", ssl3);
+	OPTBOOL( "-tls1", tls1);
+	OPTBOOL( "-tls1.1", tls1_1);
+	OPTBOOL( "-tls1.2", tls1_2);
+	OPTBOOL( "-tls1.3", tls1_3)
+	OPTBYTE("-cert", cert, cert_len);
+	OPTBYTE("-key", key, key_len);
+
+	OPTBAD( "option", "-cadir, -cafile, -cert, -certfile, -cipher, -command, -dhparams, -key, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, or tls1.3");
+
+	return TCL_ERROR;
+    }
+    if (request)	    verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER;
+    if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+    if (verify == 0)	verify = SSL_VERIFY_NONE;
+
+    proto |= (ssl2 ? TLS_PROTO_SSL2 : 0);
+    proto |= (ssl3 ? TLS_PROTO_SSL3 : 0);
+    proto |= (tls1 ? TLS_PROTO_TLS1 : 0);
+    proto |= (tls1_1 ? TLS_PROTO_TLS1_1 : 0);
+    proto |= (tls1_2 ? TLS_PROTO_TLS1_2 : 0);
+    proto |= (tls1_3 ? TLS_PROTO_TLS1_3 : 0);
+
+    /* reset to NULL if blank string provided */
+    if (cert && !*cert)		        cert	        = NULL;
+    if (key && !*key)		        key	        = NULL;
+    if (certfile && !*certfile)         certfile	= NULL;
+    if (keyfile && !*keyfile)		keyfile	        = NULL;
+    if (ciphers && !*ciphers)	        ciphers	        = NULL;
+    if (CAfile && !*CAfile)	        CAfile	        = NULL;
+    if (CAdir && !*CAdir)	        CAdir	        = NULL;
+    if (DHparams && !*DHparams)	        DHparams        = NULL;
+
+    /* new SSL state */
+    statePtr		= (State *) ckalloc((unsigned) sizeof(State));
+    memset(statePtr, 0, sizeof(State));
+
+    statePtr->flags	= flags;
+    statePtr->interp	= interp;
+    statePtr->vflags	= verify;
+    statePtr->err	= "";
+
+    /* allocate script */
+    if (script) {
+	(void) Tcl_GetStringFromObj(script, &len);
+	if (len) {
+	    statePtr->callback = script;
+	    Tcl_IncrRefCount(statePtr->callback);
+	}
+    }
+
+    /* allocate password */
+    if (password) {
+	(void) Tcl_GetStringFromObj(password, &len);
+	if (len) {
+	    statePtr->password = password;
+	    Tcl_IncrRefCount(statePtr->password);
+	}
+    }
+
+    if (model != NULL) {
+	int mode;
+	/* Get the "model" context */
+	chan = Tcl_GetChannel(interp, model, &mode);
+	if (chan == (Tcl_Channel) NULL) {
+	    Tls_Free((void *)statePtr);
+	    return TCL_ERROR;
+	}
+
+        /*
+         * Make sure to operate on the topmost channel
+         */
+        chan = Tcl_GetTopChannel(chan);
+	if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
+	    Tcl_AppendResult(interp, "bad channel \"",
+		    Tcl_GetChannelName(chan), "\": not a TLS channel", (char *)NULL);
+	    Tls_Free((void *)statePtr);
+	    return TCL_ERROR;
+	}
+	ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx;
+    } else {
+	if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key,
+    cert, key_len, cert_len, CAdir, CAfile, ciphers,
+    DHparams)) == (SSL_CTX*)0) {
+	    Tls_Free((void *)statePtr);
+	    return TCL_ERROR;
+	}
+    }
+
+    statePtr->ctx = ctx;
+
+    /*
+     * We need to make sure that the channel works in binary (for the
+     * encryption not to get goofed up).
+     * We only want to adjust the buffering in pre-v2 channels, where
+     * each channel in the stack maintained its own buffers.
+     */
+    Tcl_DStringInit(&upperChannelTranslation);
+    Tcl_DStringInit(&upperChannelBlocking);
+    Tcl_DStringInit(&upperChannelEOFChar);
+    Tcl_DStringInit(&upperChannelEncoding);
+    Tcl_GetChannelOption(interp, chan, "-eofchar", &upperChannelEOFChar);
+    Tcl_GetChannelOption(interp, chan, "-encoding", &upperChannelEncoding);
+    Tcl_GetChannelOption(interp, chan, "-translation", &upperChannelTranslation);
+    Tcl_GetChannelOption(interp, chan, "-blocking", &upperChannelBlocking);
+    Tcl_SetChannelOption(interp, chan, "-translation", "binary");
+    Tcl_SetChannelOption(interp, chan, "-blocking", "true");
+    dprintf("Consuming Tcl channel %s", Tcl_GetChannelName(chan));
+    statePtr->self = Tcl_StackChannel(interp, Tls_ChannelType(), statePtr, (TCL_READABLE | TCL_WRITABLE), chan);
+    dprintf("Created channel named %s", Tcl_GetChannelName(statePtr->self));
+    if (statePtr->self == (Tcl_Channel) NULL) {
+	/*
+	 * No use of Tcl_EventuallyFree because no possible Tcl_Preserve.
+	 */
+	Tls_Free((void *)statePtr);
+	return TCL_ERROR;
+    }
+
+    Tcl_SetChannelOption(interp, statePtr->self, "-translation", Tcl_DStringValue(&upperChannelTranslation));
+    Tcl_SetChannelOption(interp, statePtr->self, "-encoding", Tcl_DStringValue(&upperChannelEncoding));
+    Tcl_SetChannelOption(interp, statePtr->self, "-eofchar", Tcl_DStringValue(&upperChannelEOFChar));
+    Tcl_SetChannelOption(interp, statePtr->self, "-blocking", Tcl_DStringValue(&upperChannelBlocking));
+
+    /*
+     * SSL Initialization
+     */
+
+    statePtr->ssl = SSL_new(statePtr->ctx);
+    if (!statePtr->ssl) {
+	/* SSL library error */
+	Tcl_AppendResult(interp, "couldn't construct ssl session: ", REASON(),
+		(char *) NULL);
+	Tls_Free((void *)statePtr);
+	return TCL_ERROR;
+    }
+
+#ifndef OPENSSL_NO_TLSEXT
+    if (servername) {
+        if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) {
+            Tcl_AppendResult(interp, "setting TLS host name extension failed",
+                (char *) NULL);
+            Tls_Free((void *)statePtr);
+            return TCL_ERROR;
+        }
+    }
+#endif
+
+    /*
+     * SSL Callbacks
+     */
+
+    SSL_set_app_data(statePtr->ssl, (void *)statePtr);	/* point back to us */
+
+    SSL_set_verify(statePtr->ssl, verify, VerifyCallback);
+
+    SSL_CTX_set_info_callback(statePtr->ctx, InfoCallback);
+
+    /* Create Tcl_Channel BIO Handler */
+    statePtr->p_bio	= BIO_new_tcl(statePtr, BIO_NOCLOSE);
+    statePtr->bio	= BIO_new(BIO_f_ssl());
+
+    if (server) {
+	statePtr->flags |= TLS_TCL_SERVER;
+	SSL_set_accept_state(statePtr->ssl);
+    } else {
+	SSL_set_connect_state(statePtr->ssl);
+    }
+    SSL_set_bio(statePtr->ssl, statePtr->p_bio, statePtr->p_bio);
+    BIO_set_ssl(statePtr->bio, statePtr->ssl, BIO_NOCLOSE);
+
+    /*
+     * End of SSL Init
+     */
+    dprintf("Returning %s", Tcl_GetChannelName(statePtr->self));
+    Tcl_SetResult(interp, (char *) Tcl_GetChannelName(statePtr->self),
+	    TCL_VOLATILE);
+    return TCL_OK;
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * UnimportObjCmd --
+ *
+ *	This procedure is invoked to remove the topmost channel filter.
+ *
+ * Results:
+ *	A standard Tcl result.
+ *
+ * Side effects:
+ *	May modify the behavior of an IO channel.
+ *
+ *-------------------------------------------------------------------
+ */
+
+static int
+UnimportObjCmd(
+    TCL_UNUSED(void *),
+    Tcl_Interp *interp,
+    int objc,
+    Tcl_Obj *const objv[])
+{
+    Tcl_Channel chan;		/* The channel to set a mode on. */
+
+    dprintf("Called");
+
+    if (objc != 2) {
+	Tcl_WrongNumArgs(interp, 1, objv, "channel");
+	return TCL_ERROR;
+    }
+
+    chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL);
+    if (chan == (Tcl_Channel) NULL) {
+	return TCL_ERROR;
+    }
+
+    /*
+     * Make sure to operate on the topmost channel
+     */
+    chan = Tcl_GetTopChannel(chan);
+
+    if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
+	Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan),
+		"\": not a TLS channel", (char *)NULL);
+	return TCL_ERROR;
+    }
+
+    if (Tcl_UnstackChannel(interp, chan) == TCL_ERROR) {
+	return TCL_ERROR;
+    }
+
+    return TCL_OK;
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * CTX_Init -- construct a SSL_CTX instance
+ *
+ * Results:
+ *	A valid SSL_CTX instance or NULL.
+ *
+ * Side effects:
+ *	constructs SSL context (CTX)
+ *
+ *-------------------------------------------------------------------
+ */
+
+static SSL_CTX *
+CTX_Init(
+    State *statePtr,
+    TCL_UNUSED(int) /* isServer */,
+    int proto,
+    char *keyfile,
+    char *certfile,
+    unsigned char *key,
+    unsigned char *cert,
+    int key_len,
+    int cert_len,
+    char *CAdir,
+    char *CAfile,
+    char *ciphers,
+    char *DHparams)
+{
+    Tcl_Interp *interp = statePtr->interp;
+    SSL_CTX *ctx = NULL;
+    Tcl_DString ds;
+    Tcl_DString ds1;
+    int off = 0;
+    int load_private_key;
+    const SSL_METHOD *method;
+
+    dprintf("Called");
+
+    if (!proto) {
+	Tcl_AppendResult(interp, "no valid protocol selected", (char *)NULL);
+	return (SSL_CTX *)0;
+    }
+
+    /* create SSL context */
+#if defined(NO_SSL2)
+    if (ENABLED(proto, TLS_PROTO_SSL2)) {
+	Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
+	return (SSL_CTX *)0;
+    }
+#endif
+#if defined(NO_SSL3)
+    if (ENABLED(proto, TLS_PROTO_SSL3)) {
+	Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
+	return (SSL_CTX *)0;
+    }
+#endif
+#if defined(NO_TLS1)
+    if (ENABLED(proto, TLS_PROTO_TLS1)) {
+	Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
+	return (SSL_CTX *)0;
+    }
+#endif
+#if defined(NO_TLS1_1)
+    if (ENABLED(proto, TLS_PROTO_TLS1_1)) {
+	Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
+	return (SSL_CTX *)0;
+    }
+#endif
+#if defined(NO_TLS1_2)
+    if (ENABLED(proto, TLS_PROTO_TLS1_2)) {
+	Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
+	return (SSL_CTX *)0;
+    }
+#endif
+#if defined(NO_TLS1_3)
+    if (ENABLED(proto, TLS_PROTO_TLS1_3)) {
+	Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
+	return (SSL_CTX *)0;
+    }
+#endif
+
+    switch (proto) {
+#if !defined(NO_SSL2)
+    case TLS_PROTO_SSL2:
+	method = SSLv2_method ();
+	break;
+#endif
+#if !defined(NO_SSL3)
+    case TLS_PROTO_SSL3:
+	method = SSLv3_method ();
+	break;
+#endif
+#if !defined(NO_TLS1)
+    case TLS_PROTO_TLS1:
+	method = TLSv1_method ();
+	break;
+#endif
+#if !defined(NO_TLS1_1)
+    case TLS_PROTO_TLS1_1:
+	method = TLSv1_1_method ();
+	break;
+#endif
+#if !defined(NO_TLS1_2)
+    case TLS_PROTO_TLS1_2:
+	method = TLSv1_2_method ();
+	break;
+#endif
+#if !defined(NO_TLS1_3)
+    case TLS_PROTO_TLS1_3:
+        /*
+         * The version range is constrained below,
+         * after the context is created.  Use the
+         * generic method here.
+         */
+	method = TLS_method ();
+	break;
+#endif
+    default:
+#ifdef HAVE_TLS_METHOD
+        method = TLS_method ();
+#else
+        method = SSLv23_method ();
+#endif
+#if !defined(NO_SSL2)
+	off |= (ENABLED(proto, TLS_PROTO_SSL2)   ? 0 : SSL_OP_NO_SSLv2);
+#endif
+#if !defined(NO_SSL3)
+	off |= (ENABLED(proto, TLS_PROTO_SSL3)   ? 0 : SSL_OP_NO_SSLv3);
+#endif
+#if !defined(NO_TLS1)
+	off |= (ENABLED(proto, TLS_PROTO_TLS1)   ? 0 : SSL_OP_NO_TLSv1);
+#endif
+#if !defined(NO_TLS1_1)
+	off |= (ENABLED(proto, TLS_PROTO_TLS1_1) ? 0 : SSL_OP_NO_TLSv1_1);
+#endif
+#if !defined(NO_TLS1_2)
+	off |= (ENABLED(proto, TLS_PROTO_TLS1_2) ? 0 : SSL_OP_NO_TLSv1_2);
+#endif
+#if !defined(NO_TLS1_3)
+	off |= (ENABLED(proto, TLS_PROTO_TLS1_3) ? 0 : SSL_OP_NO_TLSv1_3);
+#endif
+	break;
+    }
+
+    ctx = SSL_CTX_new (method);
+
+    if (!ctx) {
+        return(NULL);
+    }
+
+#if !defined(NO_TLS1_3)
+    if (proto == TLS_PROTO_TLS1_3) {
+        SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION);
+        SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION);
+    }
+#endif
+
+    SSL_CTX_set_app_data( ctx, (void*)interp);	/* remember the interpreter */
+    SSL_CTX_set_options( ctx, SSL_OP_ALL);	/* all SSL bug workarounds */
+    SSL_CTX_set_options( ctx, off);	/* all SSL bug workarounds */
+    SSL_CTX_sess_set_cache_size( ctx, 128);
+
+    if (ciphers != NULL)
+	SSL_CTX_set_cipher_list(ctx, ciphers);
+
+    /* set some callbacks */
+    SSL_CTX_set_default_passwd_cb(ctx, PasswordCallback);
+
+#ifndef BSAFE
+    SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)statePtr);
+#endif
+
+    /* read a Diffie-Hellman parameters file, or use the built-in one */
+#ifdef OPENSSL_NO_DH
+    if (DHparams != NULL) {
+	Tcl_AppendResult(interp,
+	    "DH parameter support not available", (char *) NULL);
+	SSL_CTX_free(ctx);
+	return (SSL_CTX *)0;
+    }
+#else
+    {
+	DH* dh;
+	if (DHparams != NULL) {
+	    BIO *bio;
+	    Tcl_DStringInit(&ds);
+	    bio = BIO_new_file(F2N(DHparams, &ds), "r");
+	    if (!bio) {
+		Tcl_DStringFree(&ds);
+		Tcl_AppendResult(interp,
+		    "Could not find DH parameters file", (char *) NULL);
+		SSL_CTX_free(ctx);
+		return (SSL_CTX *)0;
+	    }
+
+	    dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+	    BIO_free(bio);
+	    Tcl_DStringFree(&ds);
+	    if (!dh) {
+		Tcl_AppendResult(interp,
+		    "Could not read DH parameters from file", (char *) NULL);
+		SSL_CTX_free(ctx);
+		return (SSL_CTX *)0;
+	    }
+	} else {
+	    dh = get_dhParams();
+	}
+	SSL_CTX_set_tmp_dh(ctx, dh);
+	DH_free(dh);
+    }
+#endif
+
+    /* set our certificate */
+    load_private_key = 0;
+    if (certfile != NULL) {
+	load_private_key = 1;
+
+	Tcl_DStringInit(&ds);
+
+	if (SSL_CTX_use_certificate_file(ctx, F2N( certfile, &ds),
+					SSL_FILETYPE_PEM) <= 0) {
+	    Tcl_DStringFree(&ds);
+	    Tcl_AppendResult(interp,
+			     "unable to set certificate file ", certfile, ": ",
+			     REASON(), (char *) NULL);
+	    SSL_CTX_free(ctx);
+	    return (SSL_CTX *)0;
+	}
+    } else if (cert != NULL) {
+	load_private_key = 1;
+	if (SSL_CTX_use_certificate_ASN1(ctx, cert_len, cert) <= 0) {
+	    Tcl_DStringFree(&ds);
+	    Tcl_AppendResult(interp,
+			     "unable to set certificate: ",
+			     REASON(), (char *) NULL);
+	    SSL_CTX_free(ctx);
+	    return (SSL_CTX *)0;
+	}
+    } else {
+	certfile = (char*)X509_get_default_cert_file();
+
+	if (SSL_CTX_use_certificate_file(ctx, certfile,
+					SSL_FILETYPE_PEM) <= 0) {
+#if 0
+	    Tcl_DStringFree(&ds);
+	    Tcl_AppendResult(interp,
+			     "unable to use default certificate file ", certfile, ": ",
+			     REASON(), (char *) NULL);
+	    SSL_CTX_free(ctx);
+	    return (SSL_CTX *)0;
+#endif
+	}
+    }
+
+    /* set our private key */
+    if (load_private_key) {
+	if (keyfile == NULL && key == NULL) {
+	    keyfile = certfile;
+	}
+
+	if (keyfile != NULL) {
+	    /* get the private key associated with this certificate */
+	    if (keyfile == NULL) {
+		keyfile = certfile;
+	    }
+
+	    if (SSL_CTX_use_PrivateKey_file(ctx, F2N( keyfile, &ds), SSL_FILETYPE_PEM) <= 0) {
+		Tcl_DStringFree(&ds);
+		/* flush the passphrase which might be left in the result */
+		Tcl_SetResult(interp, NULL, TCL_STATIC);
+		Tcl_AppendResult(interp,
+			         "unable to set public key file ", keyfile, " ",
+			         REASON(), (char *) NULL);
+		SSL_CTX_free(ctx);
+		return (SSL_CTX *)0;
+	    }
+
+	    Tcl_DStringFree(&ds);
+	} else if (key != NULL) {
+	    if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, ctx, key,key_len) <= 0) {
+		Tcl_DStringFree(&ds);
+		/* flush the passphrase which might be left in the result */
+		Tcl_SetResult(interp, NULL, TCL_STATIC);
+		Tcl_AppendResult(interp,
+		                 "unable to set public key: ",
+		                 REASON(), (char *) NULL);
+		SSL_CTX_free(ctx);
+		return (SSL_CTX *)0;
+	    }
+	}
+	/* Now we know that a key and cert have been set against
+	 * the SSL context */
+	if (!SSL_CTX_check_private_key(ctx)) {
+	    Tcl_AppendResult(interp,
+			     "private key does not match the certificate public key",
+			     (char *) NULL);
+	    SSL_CTX_free(ctx);
+	    return (SSL_CTX *)0;
+	}
+    }
+
+    /* Set verification CAs */
+    Tcl_DStringInit(&ds);
+    Tcl_DStringInit(&ds1);
+    if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CAdir, &ds1)) ||
+	!SSL_CTX_set_default_verify_paths(ctx)) {
+#if 0
+	Tcl_DStringFree(&ds);
+	Tcl_DStringFree(&ds1);
+	/* Don't currently care if this fails */
+	Tcl_AppendResult(interp, "SSL default verify paths: ",
+		REASON(), (char *) NULL);
+	SSL_CTX_free(ctx);
+	return (SSL_CTX *)0;
+#endif
+    }
+
+    /* https://sourceforge.net/p/tls/bugs/57/ */
+    /* XXX:TODO: Let the user supply values here instead of something that exists on the filesystem */
+    if ( CAfile != NULL ) {
+        STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file( F2N(CAfile, &ds) );
+	if ( certNames != NULL ) {
+	    SSL_CTX_set_client_CA_list(ctx, certNames );
+	}
+    }
+
+    Tcl_DStringFree(&ds);
+    Tcl_DStringFree(&ds1);
+    return ctx;
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * StatusObjCmd -- return certificate for connected peer.
+ *
+ * Results:
+ *	A standard Tcl result.
+ *
+ * Side effects:
+ *	None.
+ *
+ *-------------------------------------------------------------------
+ */
+static int
+StatusObjCmd(
+    TCL_UNUSED(void *),
+    Tcl_Interp *interp,
+    int objc,
+    Tcl_Obj	*const objv[])
+{
+    State *statePtr;
+    X509 *peer;
+    Tcl_Obj *objPtr;
+    Tcl_Channel chan;
+    char *channelName, *ciphers;
+    int mode;
+
+    dprintf("Called");
+
+    switch (objc) {
+	case 2:
+	    channelName = Tcl_GetString(objv[1]);
+	    break;
+
+	case 3:
+	    if (!strcmp (Tcl_GetString (objv[1]), "-local")) {
+		channelName = Tcl_GetString(objv[2]);
+		break;
+	    }
+	    /* fallthrough */
+	default:
+	    Tcl_WrongNumArgs(interp, 1, objv, "?-local? channel");
+	    return TCL_ERROR;
+    }
+
+    chan = Tcl_GetChannel(interp, channelName, &mode);
+    if (chan == (Tcl_Channel) NULL) {
+	return TCL_ERROR;
+    }
+    /*
+     * Make sure to operate on the topmost channel
+     */
+    chan = Tcl_GetTopChannel(chan);
+    if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
+	Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan),
+		"\": not a TLS channel", (char *)NULL);
+	return TCL_ERROR;
+    }
+    statePtr = (State *) Tcl_GetChannelInstanceData(chan);
+    if (objc == 2) {
+	peer = SSL_get_peer_certificate(statePtr->ssl);
+    } else {
+	peer = SSL_get_certificate(statePtr->ssl);
+    }
+    if (peer) {
+	objPtr = Tls_NewX509Obj(interp, peer);
+	if (objc == 2) { X509_free(peer); }
+    } else {
+	objPtr = Tcl_NewListObj(0, NULL);
+    }
+
+    Tcl_ListObjAppendElement (interp, objPtr,
+	    Tcl_NewStringObj ("sbits", -1));
+    Tcl_ListObjAppendElement (interp, objPtr,
+	    Tcl_NewIntObj (SSL_get_cipher_bits (statePtr->ssl, NULL)));
+
+    ciphers = (char*)SSL_get_cipher(statePtr->ssl);
+    if (ciphers != NULL && strcmp(ciphers, "(NONE)")!=0) {
+	Tcl_ListObjAppendElement(interp, objPtr,
+		Tcl_NewStringObj("cipher", -1));
+	Tcl_ListObjAppendElement(interp, objPtr,
+		Tcl_NewStringObj(SSL_get_cipher(statePtr->ssl), -1));
+    }
+
+    Tcl_ListObjAppendElement(interp, objPtr,
+	Tcl_NewStringObj("version", -1));
+    Tcl_ListObjAppendElement(interp, objPtr,
+	Tcl_NewStringObj(SSL_get_version(statePtr->ssl), -1));
+
+    Tcl_SetObjResult( interp, objPtr);
+    return TCL_OK;
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * VersionObjCmd -- return version string from OpenSSL.
+ *
+ * Results:
+ *	A standard Tcl result.
+ *
+ * Side effects:
+ *	None.
+ *
+ *-------------------------------------------------------------------
+ */
+static int
+VersionObjCmd(
+    TCL_UNUSED(void *),
+    Tcl_Interp *interp,
+    TCL_UNUSED(int) /* objc */,
+    TCL_UNUSED(Tcl_Obj *const *) /* objv */)
+{
+    Tcl_Obj *objPtr;
+
+    dprintf("Called");
+
+    objPtr = Tcl_NewStringObj(OPENSSL_VERSION_TEXT, -1);
+
+    Tcl_SetObjResult(interp, objPtr);
+    return TCL_OK;
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * MiscObjCmd -- misc commands
+ *
+ * Results:
+ *	A standard Tcl result.
+ *
+ * Side effects:
+ *	None.
+ *
+ *-------------------------------------------------------------------
+ */
+static int
+MiscObjCmd(
+    TCL_UNUSED(void *),
+    Tcl_Interp *interp,
+    int objc,
+    Tcl_Obj	*const objv[])
+{
+    static const char *commands [] = { "req", NULL };
+    enum command { C_REQ, C_DUMMY };
+    int cmd;
+
+    dprintf("Called");
+
+    if (objc < 2) {
+	Tcl_WrongNumArgs(interp, 1, objv, "subcommand ?args?");
+	return TCL_ERROR;
+    }
+    if (Tcl_GetIndexFromObj(interp, objv[1], commands,
+	    "command", 0,&cmd) != TCL_OK) {
+	return TCL_ERROR;
+    }
+
+    switch ((enum command) cmd) {
+	case C_REQ: {
+	    EVP_PKEY *pkey=NULL;
+	    X509 *cert=NULL;
+	    X509_NAME *name=NULL;
+	    Tcl_Obj **listv;
+	    Tcl_Size listc,i;
+
+	    BIO *out=NULL;
+
+	    const char *k_C="",*k_ST="",*k_L="",*k_O="",*k_OU="",*k_CN="",*k_Email="";
+	    char *keyout,*pemout,*str;
+	    int keysize,serial=0,days=365;
+
+	    if ((objc<5) || (objc>6)) {
+		Tcl_WrongNumArgs(interp, 2, objv, "keysize keyfile certfile ?info?");
+		return TCL_ERROR;
+	    }
+
+	    if (Tcl_GetIntFromObj(interp, objv[2], &keysize) != TCL_OK) {
+		return TCL_ERROR;
+	    }
+	    keyout=Tcl_GetString(objv[3]);
+	    pemout=Tcl_GetString(objv[4]);
+
+	    if (objc>=6) {
+		if (Tcl_ListObjGetElements(interp, objv[5],
+			&listc, &listv) != TCL_OK) {
+		    return TCL_ERROR;
+		}
+
+		if ((listc%2) != 0) {
+		    Tcl_SetResult(interp,"Information list must have even number of arguments",NULL);
+		    return TCL_ERROR;
+		}
+		for (i=0; i<listc; i+=2) {
+		    str=Tcl_GetString(listv[i]);
+		    if (strcmp(str,"days")==0) {
+			if (Tcl_GetIntFromObj(interp,listv[i+1],&days)!=TCL_OK)
+			    return TCL_ERROR;
+		    } else if (strcmp(str,"serial")==0) {
+			if (Tcl_GetIntFromObj(interp,listv[i+1],&serial)!=TCL_OK)
+			    return TCL_ERROR;
+		    } else if (strcmp(str,"serial")==0) {
+			if (Tcl_GetIntFromObj(interp,listv[i+1],&serial)!=TCL_OK)
+			    return TCL_ERROR;
+		    } else if (strcmp(str,"C")==0) {
+			k_C=Tcl_GetString(listv[i+1]);
+		    } else if (strcmp(str,"ST")==0) {
+			k_ST=Tcl_GetString(listv[i+1]);
+		    } else if (strcmp(str,"L")==0) {
+			k_L=Tcl_GetString(listv[i+1]);
+		    } else if (strcmp(str,"O")==0) {
+			k_O=Tcl_GetString(listv[i+1]);
+		    } else if (strcmp(str,"OU")==0) {
+			k_OU=Tcl_GetString(listv[i+1]);
+		    } else if (strcmp(str,"CN")==0) {
+			k_CN=Tcl_GetString(listv[i+1]);
+		    } else if (strcmp(str,"Email")==0) {
+			k_Email=Tcl_GetString(listv[i+1]);
+		    } else {
+			Tcl_SetResult(interp,"Unknown parameter",NULL);
+			return TCL_ERROR;
+		    }
+		}
+	    }
+	    if ((pkey = EVP_PKEY_new()) != NULL) {
+		if (!EVP_PKEY_assign_RSA(pkey,
+			RSA_generate_key(keysize, 0x10001, NULL, NULL))) {
+		    Tcl_SetResult(interp,"Error generating private key",NULL);
+		    EVP_PKEY_free(pkey);
+		    return TCL_ERROR;
+		}
+		out=BIO_new(BIO_s_file());
+		BIO_write_filename(out,keyout);
+		PEM_write_bio_PrivateKey(out,pkey,NULL,NULL,0,NULL,NULL);
+		BIO_free_all(out);
+
+		if ((cert=X509_new())==NULL) {
+		    Tcl_SetResult(interp,"Error generating certificate request",NULL);
+		    EVP_PKEY_free(pkey);
+		    return(TCL_ERROR);
+		}
+
+		X509_set_version(cert,2);
+		ASN1_INTEGER_set(X509_get_serialNumber(cert),serial);
+		X509_gmtime_adj(X509_get_notBefore(cert),0);
+		X509_gmtime_adj(X509_get_notAfter(cert),(long)60*60*24*days);
+		X509_set_pubkey(cert,pkey);
+
+		name=X509_get_subject_name(cert);
+
+		X509_NAME_add_entry_by_txt(name,"C", MBSTRING_ASC, (unsigned char *) k_C, -1, -1, 0);
+		X509_NAME_add_entry_by_txt(name,"ST", MBSTRING_ASC, (unsigned char *) k_ST, -1, -1, 0);
+		X509_NAME_add_entry_by_txt(name,"L", MBSTRING_ASC, (unsigned char *) k_L, -1, -1, 0);
+		X509_NAME_add_entry_by_txt(name,"O", MBSTRING_ASC, (unsigned char *) k_O, -1, -1, 0);
+		X509_NAME_add_entry_by_txt(name,"OU", MBSTRING_ASC, (unsigned char *) k_OU, -1, -1, 0);
+		X509_NAME_add_entry_by_txt(name,"CN", MBSTRING_ASC, (unsigned char *) k_CN, -1, -1, 0);
+		X509_NAME_add_entry_by_txt(name,"Email", MBSTRING_ASC, (unsigned char *) k_Email, -1, -1, 0);
+
+		X509_set_subject_name(cert,name);
+
+		if (!X509_sign(cert,pkey,EVP_md5())) {
+		    X509_free(cert);
+		    EVP_PKEY_free(pkey);
+		    Tcl_SetResult(interp,"Error signing certificate",NULL);
+		    return TCL_ERROR;
+		}
+
+		out=BIO_new(BIO_s_file());
+		BIO_write_filename(out,pemout);
+
+		PEM_write_bio_X509(out,cert);
+		BIO_free_all(out);
+
+		X509_free(cert);
+		EVP_PKEY_free(pkey);
+	    } else {
+		Tcl_SetResult(interp,"Error generating private key",NULL);
+		return TCL_ERROR;
+	    }
+	}
+	break;
+    default:
+	break;
+    }
+    return TCL_OK;
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * Tls_Free --
+ *
+ *	This procedure cleans up when a SSL socket based channel
+ *	is closed and its reference count falls below 1
+ *
+ * Results:
+ *	none
+ *
+ * Side effects:
+ *	Frees all the state
+ *
+ *-------------------------------------------------------------------
+ */
+void
+#if TCL_MAJOR_VERSION > 8
+Tls_Free( void *blockPtr )
+#else
+Tls_Free( char *blockPtr )
+#endif
+{
+    State *statePtr = (State *)blockPtr;
+
+    dprintf("Called");
+
+    Tls_Clean(statePtr);
+    ckfree(blockPtr);
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * Tls_Clean --
+ *
+ *	This procedure cleans up when a SSL socket based channel
+ *	is closed and its reference count falls below 1.  This should
+ *	be called synchronously by the CloseProc, not in the
+ *	EventuallyFree callback.
+ *
+ * Results:
+ *	none
+ *
+ * Side effects:
+ *	Frees all the state
+ *
+ *-------------------------------------------------------------------
+ */
+void Tls_Clean(State *statePtr) {
+    dprintf("Called");
+
+    /*
+     * we're assuming here that we're single-threaded
+     */
+    if (statePtr->timer != (Tcl_TimerToken) NULL) {
+	Tcl_DeleteTimerHandler(statePtr->timer);
+	statePtr->timer = NULL;
+    }
+
+    if (statePtr->bio) {
+	/* This will call SSL_shutdown. Bug 1414045 */
+	dprintf("BIO_free_all(%p)", statePtr->bio);
+	BIO_free_all(statePtr->bio);
+	statePtr->bio = NULL;
+    }
+    if (statePtr->ssl) {
+	dprintf("SSL_free(%p)", statePtr->ssl);
+	SSL_free(statePtr->ssl);
+	statePtr->ssl = NULL;
+    }
+    if (statePtr->ctx) {
+	SSL_CTX_free(statePtr->ctx);
+	statePtr->ctx = NULL;
+    }
+    if (statePtr->callback) {
+	Tcl_DecrRefCount(statePtr->callback);
+	statePtr->callback = NULL;
+    }
+    if (statePtr->password) {
+	Tcl_DecrRefCount(statePtr->password);
+	statePtr->password = NULL;
+    }
+
+    dprintf("Returning");
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * Tls_Init --
+ *
+ *	This is a package initialization procedure, which is called
+ *	by Tcl when this package is to be added to an interpreter.
+ *
+ * Results:  Ssl configured and loaded
+ *
+ * Side effects:
+ *	 create the ssl command, initialise ssl context
+ *
+ *-------------------------------------------------------------------
+ */
+
+DLLEXPORT int Tls_Init(Tcl_Interp *interp) {
+	const char tlsTclInitScript[] = {
+#include "tls.tcl.h"
+            0x00
+	};
+
+        dprintf("Called");
+
+	/*
+	 * We only support Tcl 8.4 or newer
+	 */
+	if (
+#ifdef USE_TCL_STUBS
+	    Tcl_InitStubs(interp, "8.6-", 0)
+#else
+	    Tcl_PkgRequire(interp, "Tcl", "8.6-", 0)
+#endif
+	     == NULL) {
+		return TCL_ERROR;
+	}
+
+	if (TlsLibInit(0) != TCL_OK) {
+		Tcl_AppendResult(interp, "could not initialize SSL library", (char *)NULL);
+		return TCL_ERROR;
+	}
+
+	Tcl_CreateObjCommand(interp, "tls::ciphers", CiphersObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);
+	Tcl_CreateObjCommand(interp, "tls::handshake", HandshakeObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);
+	Tcl_CreateObjCommand(interp, "tls::import", ImportObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);
+	Tcl_CreateObjCommand(interp, "tls::unimport", UnimportObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);
+	Tcl_CreateObjCommand(interp, "tls::status", StatusObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);
+	Tcl_CreateObjCommand(interp, "tls::version", VersionObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);
+	Tcl_CreateObjCommand(interp, "tls::misc", MiscObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);
+
+	if (interp) {
+		Tcl_Eval(interp, tlsTclInitScript);
+	}
+
+	return(Tcl_PkgProvide(interp, "tls", PACKAGE_VERSION));
+}
+
+/*
+ *------------------------------------------------------*
+ *
+ *	Tls_SafeInit --
+ *
+ *	------------------------------------------------*
+ *	Standard procedure required by 'load'.
+ *	Initializes this extension for a safe interpreter.
+ *	------------------------------------------------*
+ *
+ *	Sideeffects:
+ *		As of 'Tls_Init'
+ *
+ *	Result:
+ *		A standard Tcl error code.
+ *
+ *------------------------------------------------------*
+ */
+
+DLLEXPORT int Tls_SafeInit(Tcl_Interp *interp) {
+	dprintf("Called");
+	return(Tls_Init(interp));
+}
+
+/*
+ *------------------------------------------------------*
+ *
+ *	TlsLibInit --
+ *
+ *	------------------------------------------------*
+ *	Initializes SSL library once per application
+ *	------------------------------------------------*
+ *
+ *	Side effects:
+ *		initilizes SSL library
+ *
+ *	Result:
+ *		none
+ *
+ *------------------------------------------------------*
+ */
+static int TlsLibInit(int uninitialize) {
+	static int initialized = 0;
+	int status = TCL_OK;
+#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
+	size_t num_locks;
+#endif
+
+	if (uninitialize) {
+		if (!initialized) {
+			dprintf("Asked to uninitialize, but we are not initialized");
+
+			return(TCL_OK);
+		}
+
+		dprintf("Asked to uninitialize");
+
+#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
+		Tcl_MutexLock(&init_mx);
+
+		CRYPTO_set_locking_callback(NULL);
+		CRYPTO_set_id_callback(NULL);
+
+		if (locks) {
+			free(locks);
+			locks = NULL;
+			locksCount = 0;
+		}
+#endif
+		initialized = 0;
+
+#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
+		Tcl_MutexUnlock(&init_mx);
+#endif
+
+		return(TCL_OK);
+	}
+
+	if (initialized) {
+		dprintf("Called, but using cached value");
+		return(status);
+	}
+
+	dprintf("Called");
+
+#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
+	Tcl_MutexLock(&init_mx);
+#endif
+	initialized = 1;
+
+#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
+	num_locks = CRYPTO_num_locks();
+	locksCount = num_locks;
+	locks = malloc(sizeof(*locks) * num_locks);
+	memset(locks, 0, sizeof(*locks) * num_locks);
+
+	CRYPTO_set_locking_callback(CryptoThreadLockCallback);
+	CRYPTO_set_id_callback(CryptoThreadIdCallback);
+#endif
+
+	if (SSL_library_init() != 1) {
+		status = TCL_ERROR;
+		goto done;
+	}
+
+	SSL_load_error_strings();
+	ERR_load_crypto_strings();
+
+	BIO_new_tcl(NULL, 0);
+
+#if 0
+	/*
+	 * XXX:TODO: Remove this code and replace it with a check
+	 * for enough entropy and do not try to create our own
+	 * terrible entropy
+	 */
+    /*
+     * Seed the random number generator in the SSL library,
+     * using the do/while construct because of the bug note in the
+     * OpenSSL FAQ at http://www.openssl.org/support/faq.html#USER1
+     *
+     * The crux of the problem is that Solaris 7 does not have a
+     * /dev/random or /dev/urandom device so it cannot gather enough
+     * entropy from the RAND_seed() when TLS initializes and refuses
+     * to go further. Earlier versions of OpenSSL carried on regardless.
+     */
+    srand((unsigned int) time((time_t *) NULL));
+    do {
+	for (i = 0; i < 16; i++) {
+	    rnd_seed[i] = 1 + (char) (255.0 * rand()/(RAND_MAX+1.0));
+	}
+	RAND_seed(rnd_seed, sizeof(rnd_seed));
+    } while (RAND_status() != 1);
+#endif
+
+done:
+#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
+	Tcl_MutexUnlock(&init_mx);
+#endif
+
+	return(status);
+}

ADDED   generic/tls.h
Index: generic/tls.h
==================================================================
--- /dev/null
+++ generic/tls.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com>
+ *
+ * TLS (aka SSL) Channel - can be layered on any bi-directional
+ * Tcl_Channel (Note: Requires Trf Core Patch)
+ *
+ * This was built from scratch based upon observation of OpenSSL 0.9.2B
+ *
+ * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for
+ * providing the Tcl_ReplaceChannel mechanism and working closely with me
+ * to enhance it to support full fileevent semantics.
+ *
+ * Also work done by the follow people provided the impetus to do this "right":-
+ *	tclSSL (Colin McCormack, Shared Technology)
+ *	SSLtcl (Peter Antman)
+ *
+ */
+#ifndef _TLS_H
+#define _TLS_H
+
+#include <tcl.h>
+
+/*
+ * Initialization routines -- our entire public C API.
+ */
+DLLEXPORT int Tls_Init(Tcl_Interp *interp);
+DLLEXPORT int Tls_SafeInit(Tcl_Interp *interp);
+
+#endif /* _TLS_H */

ADDED   generic/tlsBIO.c
Index: generic/tlsBIO.c
==================================================================
--- /dev/null
+++ generic/tlsBIO.c
@@ -0,0 +1,323 @@
+/*
+ * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com>
+ *
+ * Provides BIO layer to interface openssl to Tcl.
+ */
+
+#include "tlsInt.h"
+
+#ifdef TCLTLS_OPENSSL_PRE_1_1_API
+#define BIO_get_data(bio)                ((bio)->ptr)
+#define BIO_get_init(bio)                ((bio)->init)
+#define BIO_get_shutdown(bio)            ((bio)->shutdown)
+#define BIO_set_data(bio, val)           (bio)->ptr = (val)
+#define BIO_set_init(bio, val)           (bio)->init = (val)
+#define BIO_set_shutdown(bio, val)       (bio)->shutdown = (val)
+
+/* XXX: This assumes the variable being assigned to is BioMethods */
+#define BIO_meth_new(type_, name_)       (BIO_METHOD *)Tcl_Alloc(sizeof(BIO_METHOD)); \
+                                         memset(BioMethods, 0, sizeof(BIO_METHOD)); \
+                                         BioMethods->type = type_; \
+                                         BioMethods->name = name_;
+#define BIO_meth_set_write(bio, val)     (bio)->bwrite = val;
+#define BIO_meth_set_read(bio, val)      (bio)->bread = val;
+#define BIO_meth_set_puts(bio, val)      (bio)->bputs = val;
+#define BIO_meth_set_ctrl(bio, val)      (bio)->ctrl = val;
+#define BIO_meth_set_create(bio, val)    (bio)->create = val;
+#define BIO_meth_set_destroy(bio, val)   (bio)->destroy = val;
+#endif
+
+/*
+ * Forward declarations
+ */
+
+static int BioWrite (BIO *h, const char *buf, int num);
+static int BioRead  (BIO *h, char *buf, int num);
+static int BioPuts  (BIO *h, const char *str);
+static long BioCtrl (BIO *h, int cmd, long arg1, void *ptr);
+static int BioNew   (BIO *h);
+static int BioFree  (BIO *h);
+
+BIO *BIO_new_tcl(State *statePtr, int flags) {
+	BIO *bio;
+	static BIO_METHOD *BioMethods = NULL;
+#ifdef TCLTLS_SSL_USE_FASTPATH
+	Tcl_Channel parentChannel;
+	const Tcl_ChannelType *parentChannelType;
+	void *parentChannelFdIn_p, *parentChannelFdOut_p;
+	int parentChannelFdIn, parentChannelFdOut, parentChannelFd;
+	int validParentChannelFd;
+	int tclGetChannelHandleRet;
+#endif
+
+	dprintf("BIO_new_tcl() called");
+
+	if (BioMethods == NULL) {
+		BioMethods = BIO_meth_new(BIO_TYPE_TCL, "tcl");
+		BIO_meth_set_write(BioMethods, BioWrite);
+		BIO_meth_set_read(BioMethods, BioRead);
+		BIO_meth_set_puts(BioMethods, BioPuts);
+		BIO_meth_set_ctrl(BioMethods, BioCtrl);
+		BIO_meth_set_create(BioMethods, BioNew);
+		BIO_meth_set_destroy(BioMethods, BioFree);
+	}
+
+	if (statePtr == NULL) {
+		dprintf("Asked to setup a NULL state, just creating the initial configuration");
+
+		return(NULL);
+	}
+
+#ifdef TCLTLS_SSL_USE_FASTPATH
+	/*
+	 * If the channel can be mapped back to a file descriptor, just use the file descriptor
+	 * with the SSL library since it will likely be optimized for this.
+	 */
+	parentChannel = Tls_GetParent(statePtr, 0);
+	parentChannelType = Tcl_GetChannelType(parentChannel);
+
+	validParentChannelFd = 0;
+	if (strcmp(parentChannelType->typeName, "tcp") == 0) {
+		tclGetChannelHandleRet = Tcl_GetChannelHandle(parentChannel, TCL_READABLE, &parentChannelFdIn_p);
+		if (tclGetChannelHandleRet == TCL_OK) {
+			tclGetChannelHandleRet = Tcl_GetChannelHandle(parentChannel, TCL_WRITABLE, &parentChannelFdOut_p);
+			if (tclGetChannelHandleRet == TCL_OK) {
+				parentChannelFdIn = PTR2INT(parentChannelFdIn_p);
+				parentChannelFdOut = PTR2INT(parentChannelFdOut_p);
+				if (parentChannelFdIn == parentChannelFdOut) {
+					parentChannelFd = parentChannelFdIn;
+					validParentChannelFd = 1;
+				}
+			}
+		}
+	}
+
+	if (validParentChannelFd) {
+		dprintf("We found a shortcut, this channel is backed by a socket: %i", parentChannelFdIn);
+		bio = BIO_new_socket(parentChannelFd, flags);
+		statePtr->flags |= TLS_TCL_FASTPATH;
+		return(bio);
+	}
+
+	dprintf("Falling back to Tcl I/O for this channel");
+#endif
+
+	bio = BIO_new(BioMethods);
+	BIO_set_data(bio, statePtr);
+	BIO_set_shutdown(bio, flags);
+	BIO_set_init(bio, 1);
+
+	return(bio);
+}
+
+static int BioWrite(BIO *bio, const char *buf, int bufLen) {
+	Tcl_Channel chan;
+	int ret;
+	int tclEofChan, tclErrno;
+
+	chan = Tls_GetParent((State *) BIO_get_data(bio), 0);
+
+	dprintf("[chan=%p] BioWrite(%p, <buf>, %d)", (void *)chan, (void *) bio, bufLen);
+
+	ret = Tcl_WriteRaw(chan, buf, bufLen);
+
+	tclEofChan = Tcl_Eof(chan);
+	tclErrno = Tcl_GetErrno();
+
+	dprintf("[chan=%p] BioWrite(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, Tcl_GetErrno());
+
+	BIO_clear_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);
+
+	if (tclEofChan && ret <= 0) {
+		dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF");
+		Tcl_SetErrno(ECONNRESET);
+		ret = 0;
+	} else if (ret == 0) {
+		dprintf("Got 0 from Tcl_WriteRaw, and EOF is not set; ret = 0");
+		dprintf("Setting retry read flag");
+		BIO_set_retry_read(bio);
+	} else if (ret < 0) {
+		dprintf("We got some kind of I/O error");
+
+		if (tclErrno == EAGAIN) {
+			dprintf("It's EAGAIN");
+		} else {
+			dprintf("It's an unepxected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno);
+		}
+	} else {
+		dprintf("Successfully wrote some data");
+	}
+
+	if (ret != -1 || (ret == -1 && tclErrno == EAGAIN)) {
+		if (BIO_should_read(bio)) {
+			dprintf("Setting should retry read flag");
+
+			BIO_set_retry_read(bio);
+		}
+	}
+
+	return(ret);
+}
+
+static int BioRead(BIO *bio, char *buf, int bufLen) {
+	Tcl_Channel chan;
+	int ret = 0;
+	int tclEofChan, tclErrno;
+
+	chan = Tls_GetParent((State *) BIO_get_data(bio), 0);
+
+	dprintf("[chan=%p] BioRead(%p, <buf>, %d)", (void *) chan, (void *) bio, bufLen);
+
+	if (buf == NULL) {
+		return 0;
+	}
+
+	ret = Tcl_ReadRaw(chan, buf, bufLen);
+
+	tclEofChan = Tcl_Eof(chan);
+	tclErrno = Tcl_GetErrno();
+
+	dprintf("[chan=%p] BioRead(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, tclErrno);
+
+	BIO_clear_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);
+
+	if (tclEofChan && ret <= 0) {
+		dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF");
+		Tcl_SetErrno(ECONNRESET);
+		ret = 0;
+	} else if (ret == 0) {
+		dprintf("Got 0 from Tcl_Read or Tcl_ReadRaw, and EOF is not set; ret = 0");
+		dprintf("Setting retry read flag");
+		BIO_set_retry_read(bio);
+	} else if (ret < 0) {
+		dprintf("We got some kind of I/O error");
+
+		if (tclErrno == EAGAIN) {
+			dprintf("It's EAGAIN");
+		} else {
+			dprintf("It's an unepxected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno);
+		}
+	} else {
+		dprintf("Successfully read some data");
+	}
+
+	if (ret != -1 || (ret == -1 && tclErrno == EAGAIN)) {
+		if (BIO_should_write(bio)) {
+			dprintf("Setting should retry write flag");
+
+			BIO_set_retry_write(bio);
+		}
+	}
+
+	dprintf("BioRead(%p, <buf>, %d) [%p] returning %i", (void *) bio, bufLen, (void *) chan, ret);
+
+	return(ret);
+}
+
+static int BioPuts(BIO *bio, const char *str) {
+	dprintf("BioPuts(%p, <string:%p>) called", bio, str);
+
+	return BioWrite(bio, str, (int) strlen(str));
+}
+
+static long BioCtrl(BIO *bio, int cmd, long num, void *ptr) {
+	Tcl_Channel chan;
+	long ret = 1;
+
+	chan = Tls_GetParent((State *) BIO_get_data(bio), 0);
+
+	dprintf("BioCtrl(%p, 0x%x, 0x%lx, %p)", bio, cmd, num, ptr);
+
+	switch (cmd) {
+		case BIO_CTRL_RESET:
+			dprintf("Got BIO_CTRL_RESET");
+			num = 0;
+			ret = 0;
+			break;
+		case BIO_C_FILE_SEEK:
+			dprintf("Got BIO_C_FILE_SEEK");
+			ret = 0;
+			break;
+		case BIO_C_FILE_TELL:
+			dprintf("Got BIO_C_FILE_TELL");
+			ret = 0;
+			break;
+		case BIO_CTRL_INFO:
+			dprintf("Got BIO_CTRL_INFO");
+			ret = 1;
+			break;
+		case BIO_C_SET_FD:
+			dprintf("Unsupported call: BIO_C_SET_FD");
+			ret = -1;
+			break;
+		case BIO_C_GET_FD:
+			dprintf("Unsupported call: BIO_C_GET_FD");
+			ret = -1;
+			break;
+		case BIO_CTRL_GET_CLOSE:
+			dprintf("Got BIO_CTRL_CLOSE");
+			ret = BIO_get_shutdown(bio);
+			break;
+		case BIO_CTRL_SET_CLOSE:
+			dprintf("Got BIO_SET_CLOSE");
+			BIO_set_shutdown(bio, num);
+			break;
+		case BIO_CTRL_EOF:
+			dprintf("Got BIO_CTRL_EOF");
+			ret = Tcl_Eof(chan);
+			break;
+		case BIO_CTRL_PENDING:
+			dprintf("Got BIO_CTRL_PENDING");
+			ret = ((chan) ? Tcl_InputBuffered(chan) : 0);
+			dprintf("BIO_CTRL_PENDING(%d)", (int) ret);
+			break;
+		case BIO_CTRL_WPENDING:
+			dprintf("Got BIO_CTRL_WPENDING");
+			ret = 0;
+			break;
+		case BIO_CTRL_DUP:
+			dprintf("Got BIO_CTRL_DUP");
+			break;
+		case BIO_CTRL_FLUSH:
+			dprintf("Got BIO_CTRL_FLUSH");
+			ret = ((Tcl_WriteRaw(chan, "", 0) >= 0) ? 1 : -1);
+			dprintf("BIO_CTRL_FLUSH returning value %li", ret);
+			break;
+		default:
+			dprintf("Got unknown control command (%i)", cmd);
+			ret = -2;
+			break;
+	}
+
+	return(ret);
+}
+
+static int BioNew(BIO *bio) {
+	dprintf("BioNew(%p) called", bio);
+
+	BIO_set_init(bio, 0);
+	BIO_set_data(bio, NULL);
+	BIO_clear_flags(bio, -1);
+
+	return(1);
+}
+
+static int BioFree(BIO *bio) {
+	if (bio == NULL) {
+		return(0);
+	}
+
+	dprintf("BioFree(%p) called", bio);
+
+	if (BIO_get_shutdown(bio)) {
+		if (BIO_get_init(bio)) {
+			/*shutdown(bio->num, 2) */
+			/*closesocket(bio->num) */
+		}
+
+		BIO_set_init(bio, 0);
+		BIO_clear_flags(bio, -1);
+	}
+
+	return(1);
+}

ADDED   generic/tlsIO.c
Index: generic/tlsIO.c
==================================================================
--- /dev/null
+++ generic/tlsIO.c
@@ -0,0 +1,946 @@
+/*
+ * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com>
+ * Copyright (C) 2000 Ajuba Solutions
+ *
+ * TLS (aka SSL) Channel - can be layered on any bi-directional
+ * Tcl_Channel (Note: Requires Trf Core Patch)
+ *
+ * This was built from scratch based upon observation of OpenSSL 0.9.2B
+ *
+ * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for
+ * providing the Tcl_ReplaceChannel mechanism and working closely with me
+ * to enhance it to support full fileevent semantics.
+ *
+ * Also work done by the follow people provided the impetus to do this "right":
+ *	tclSSL (Colin McCormack, Shared Technology)
+ *	SSLtcl (Peter Antman)
+ *
+ */
+
+#include "tlsInt.h"
+
+/*
+ * Forward declarations
+ */
+static int  TlsBlockModeProc (void *instanceData, int mode);
+static int  TlsCloseProc (void *instanceData, Tcl_Interp *interp);
+static int  TlsClose2Proc (void *instanceData, Tcl_Interp *interp, int flags);
+static int  TlsInputProc (void *instanceData, char *buf, int bufSize, int *errorCodePtr);
+static int  TlsOutputProc (void *instanceData, const char *buf, int toWrite, int *errorCodePtr);
+static int  TlsGetOptionProc (void *instanceData, Tcl_Interp *interp, const char *optionName, Tcl_DString *dsPtr);
+static void TlsWatchProc (void *instanceData, int mask);
+static int  TlsGetHandleProc (void *instanceData, int direction, void **handlePtr);
+static int  TlsNotifyProc (void *instanceData, int mask);
+static void TlsChannelHandlerTimer (void *clientData);
+
+/*
+ * TLS Channel Type
+ */
+static const Tcl_ChannelType tlsChannelType = {
+  "tls",                             /* typeName                             */
+  TCL_CHANNEL_VERSION_5,             /* version                              */
+  TlsCloseProc,                      /* closeProc                            */
+  TlsInputProc,                      /* inputProc                            */
+  TlsOutputProc,                     /* outputProc                           */
+  0,                                 /* seekProc                             */
+  0,                                 /* setOptionProc                        */
+  TlsGetOptionProc,                  /* getOptionProc                        */
+  TlsWatchProc,                      /* watchProc                            */
+  TlsGetHandleProc,                  /* getHandleProc                        */
+  TlsClose2Proc,                     /* close2Proc                           */
+  TlsBlockModeProc,                  /* blockModeProc                        */
+  0,                                 /* flushProc                            */
+  TlsNotifyProc,                     /* handlerProc                          */
+  0,                                 /* wideSeekProc                         */
+  0,                                 /* threadActionProc                     */
+  0                                  /* truncateProc                         */
+};
+
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * Tls_ChannelType --
+ *
+ *	Return the correct TLS channel driver info
+ *
+ * Results:
+ *	The correct channel driver for the current version of Tcl.
+ *
+ * Side effects:
+ *	None.
+ *
+ *-------------------------------------------------------------------
+ */
+const Tcl_ChannelType *Tls_ChannelType(void) {
+	return &tlsChannelType;
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * TlsBlockModeProc --
+ *
+ *	This procedure is invoked by the generic IO level
+ *       to set blocking and nonblocking modes
+ * Results:
+ *	0 if successful, errno when failed.
+ *
+ * Side effects:
+ *	Sets the device into blocking or nonblocking mode.
+ *
+ *-------------------------------------------------------------------
+ */
+static int TlsBlockModeProc(void *instanceData, int mode) {
+	State *statePtr = (State *) instanceData;
+
+	if (mode == TCL_MODE_NONBLOCKING) {
+		statePtr->flags |= TLS_TCL_ASYNC;
+	} else {
+		statePtr->flags &= ~(TLS_TCL_ASYNC);
+	}
+
+	return(0);
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * TlsCloseProc --
+ *
+ *	This procedure is invoked by the generic IO level to perform
+ *	channel-type-specific cleanup when a SSL socket based channel
+ *	is closed.
+ *
+ *	Note: we leave the underlying socket alone, is this right?
+ *
+ * Results:
+ *	0 if successful, the value of Tcl_GetErrno() if failed.
+ *
+ * Side effects:
+ *	Closes the socket of the channel.
+ *
+ *-------------------------------------------------------------------
+ */
+static int TlsCloseProc(void *instanceData, TCL_UNUSED(Tcl_Interp *)) {
+	State *statePtr = (State *) instanceData;
+
+	dprintf("TlsCloseProc(%p)", statePtr);
+
+	Tls_Clean(statePtr);
+	Tcl_EventuallyFree(statePtr, Tls_Free);
+
+	dprintf("Returning TCL_OK");
+
+	return(TCL_OK);
+}
+
+static int TlsClose2Proc(void *instanceData, Tcl_Interp *interp, int flags) {
+	if (!(flags&(TCL_CLOSE_READ|TCL_CLOSE_WRITE))) {
+	    return TlsCloseProc(instanceData, interp);
+	}
+	return EINVAL;
+}
+
+/*
+ *------------------------------------------------------*
+ *
+ *	Tls_WaitForConnect --
+ *
+ *	Sideeffects:
+ *		Issues SSL_accept or SSL_connect
+ *
+ *	Result:
+ *		None.
+ *
+ *------------------------------------------------------*
+ */
+int Tls_WaitForConnect(State *statePtr, int *errorCodePtr, int handshakeFailureIsPermanent) {
+	unsigned long backingError;
+	int err, rc;
+	int bioShouldRetry;
+
+	dprintf("WaitForConnect(%p)", statePtr);
+	dprintFlags(statePtr);
+
+	if (!(statePtr->flags & TLS_TCL_INIT)) {
+		dprintf("Tls_WaitForConnect called on already initialized channel -- returning with immediate success");
+		*errorCodePtr = 0;
+		return(0);
+	}
+
+	if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) {
+		/*
+		 * Different types of operations have different requirements
+		 * SSL being established
+		 */
+		if (handshakeFailureIsPermanent) {
+			dprintf("Asked to wait for a TLS handshake that has already failed.  Returning fatal error");
+			*errorCodePtr = ECONNABORTED;
+		} else {
+			dprintf("Asked to wait for a TLS handshake that has already failed.  Returning soft error");
+			*errorCodePtr = ECONNRESET;
+		}
+		return(-1);
+	}
+
+	for (;;) {
+		/* Not initialized yet! */
+		if (statePtr->flags & TLS_TCL_SERVER) {
+			dprintf("Calling SSL_accept()");
+
+			err = SSL_accept(statePtr->ssl);
+		} else {
+			dprintf("Calling SSL_connect()");
+
+			err = SSL_connect(statePtr->ssl);
+		}
+
+		if (err > 0) {
+			dprintf("That seems to have gone okay");
+
+			err = BIO_flush(statePtr->bio);
+
+			if (err <= 0) {
+				dprintf("Flushing the lower layers failed, this will probably terminate this session");
+			}
+		}
+
+		rc = SSL_get_error(statePtr->ssl, err);
+
+		dprintf("Got error: %i (rc = %i)", err, rc);
+
+		bioShouldRetry = 0;
+		if (err <= 0) {
+			if (rc == SSL_ERROR_WANT_CONNECT || rc == SSL_ERROR_WANT_ACCEPT || rc == SSL_ERROR_WANT_READ || rc == SSL_ERROR_WANT_WRITE) {
+				bioShouldRetry = 1;
+			} else if (BIO_should_retry(statePtr->bio)) {
+				bioShouldRetry = 1;
+			} else if (rc == SSL_ERROR_SYSCALL && Tcl_GetErrno() == EAGAIN) {
+				bioShouldRetry = 1;
+			}
+		} else {
+			if (!SSL_is_init_finished(statePtr->ssl)) {
+				bioShouldRetry = 1;
+			}
+		}
+
+		if (bioShouldRetry) {
+			dprintf("The I/O did not complete -- but we should try it again");
+
+			if (statePtr->flags & TLS_TCL_ASYNC) {
+				dprintf("Returning EAGAIN so that it can be retried later");
+
+				*errorCodePtr = EAGAIN;
+
+				return(-1);
+			} else {
+				dprintf("Doing so now");
+
+				continue;
+			}
+		}
+
+		dprintf("We have either completely established the session or completely failed it -- there is no more need to ever retry it though");
+		break;
+	}
+
+
+	*errorCodePtr = EINVAL;
+
+	switch (rc) {
+		case SSL_ERROR_NONE:
+			/* The connection is up, we are done here */
+			dprintf("The connection is up");
+			break;
+		case SSL_ERROR_ZERO_RETURN:
+			dprintf("SSL_ERROR_ZERO_RETURN: Connect returned an invalid value...")
+			return(-1);
+		case SSL_ERROR_SYSCALL:
+			backingError = ERR_get_error();
+
+			if (backingError == 0 && err == 0) {
+				dprintf("EOF reached")
+				*errorCodePtr = ECONNRESET;
+			} else if (backingError == 0 && err == -1) {
+				dprintf("I/O error occured (errno = %lu)", (unsigned long) Tcl_GetErrno());
+				*errorCodePtr = Tcl_GetErrno();
+				if (*errorCodePtr == ECONNRESET) {
+					*errorCodePtr = ECONNABORTED;
+				}
+			} else {
+				dprintf("I/O error occured (backingError = %lu)", backingError);
+				*errorCodePtr = backingError;
+				if (*errorCodePtr == ECONNRESET) {
+					*errorCodePtr = ECONNABORTED;
+				}
+			}
+
+			statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
+
+			return(-1);
+		case SSL_ERROR_SSL:
+			dprintf("Got permanent fatal SSL error, aborting immediately");
+			Tls_Error(statePtr, (char *)ERR_reason_error_string(ERR_get_error()));
+			statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
+			*errorCodePtr = ECONNABORTED;
+			return(-1);
+		case SSL_ERROR_WANT_CONNECT:
+		case SSL_ERROR_WANT_ACCEPT:
+		case SSL_ERROR_WANT_X509_LOOKUP:
+		default:
+			dprintf("We got a confusing reply: %i", rc);
+			*errorCodePtr = Tcl_GetErrno();
+			dprintf("ERR(%d, %d) ", rc, *errorCodePtr);
+			return(-1);
+	}
+
+#if 0
+	if (statePtr->flags & TLS_TCL_SERVER) {
+		dprintf("This is an TLS server, checking the certificate for the peer");
+
+		err = SSL_get_verify_result(statePtr->ssl);
+		if (err != X509_V_OK) {
+			dprintf("Invalid certificate, returning in failure");
+
+			Tls_Error(statePtr, (char *)X509_verify_cert_error_string(err));
+			statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
+			*errorCodePtr = ECONNABORTED;
+			return(-1);
+		}
+	}
+#endif
+
+	dprintf("Removing the \"TLS_TCL_INIT\" flag since we have completed the handshake");
+	statePtr->flags &= ~TLS_TCL_INIT;
+
+	dprintf("Returning in success");
+	*errorCodePtr = 0;
+
+	return(0);
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * TlsInputProc --
+ *
+ *	This procedure is invoked by the generic IO level
+ *       to read input from a SSL socket based channel.
+ *
+ * Results:
+ *	The number of bytes read is returned or -1 on error. An output
+ *	argument contains the POSIX error code on error, or zero if no
+ *	error occurred.
+ *
+ * Side effects:
+ *	Reads input from the input device of the channel.
+ *
+ *-------------------------------------------------------------------
+ */
+
+static int TlsInputProc(void *instanceData, char *buf, int bufSize, int *errorCodePtr) {
+	unsigned long backingError;
+	State *statePtr = (State *) instanceData;
+	int bytesRead;
+	int tlsConnect;
+	int err;
+
+	*errorCodePtr = 0;
+
+	dprintf("BIO_read(%d)", bufSize);
+
+	if (statePtr->flags & TLS_TCL_CALLBACK) {
+		/* don't process any bytes while verify callback is running */
+		dprintf("Callback is running, reading 0 bytes");
+		return(0);
+	}
+
+	dprintf("Calling Tls_WaitForConnect");
+	tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 0);
+	if (tlsConnect < 0) {
+		dprintf("Got an error waiting to connect (tlsConnect = %i, *errorCodePtr = %i)", tlsConnect, *errorCodePtr);
+
+		bytesRead = -1;
+		if (*errorCodePtr == ECONNRESET) {
+			dprintf("Got connection reset");
+			/* Soft EOF */
+			*errorCodePtr = 0;
+			bytesRead = 0;
+		}
+
+		return(bytesRead);
+	}
+
+	/*
+	 * We need to clear the SSL error stack now because we sometimes reach
+	 * this function with leftover errors in the stack.  If BIO_read
+	 * returns -1 and intends EAGAIN, there is a leftover error, it will be
+	 * misconstrued as an error, not EAGAIN.
+	 *
+	 * Alternatively, we may want to handle the <0 return codes from
+	 * BIO_read specially (as advised in the RSA docs).  TLS's lower level BIO
+	 * functions play with the retry flags though, and this seems to work
+	 * correctly.  Similar fix in TlsOutputProc. - hobbs
+	 */
+	ERR_clear_error();
+	bytesRead = BIO_read(statePtr->bio, buf, bufSize);
+	dprintf("BIO_read -> %d", bytesRead);
+
+	err = SSL_get_error(statePtr->ssl, bytesRead);
+
+#if 0
+	if (bytesRead <= 0) {
+		if (BIO_should_retry(statePtr->bio)) {
+			dprintf("I/O failed, will retry based on EAGAIN");
+			*errorCodePtr = EAGAIN;
+		}
+	}
+#endif
+
+	switch (err) {
+		case SSL_ERROR_NONE:
+			dprintBuffer(buf, bytesRead);
+			break;
+		case SSL_ERROR_SSL:
+			dprintf("SSL negotiation error, indicating that the connection has been aborted");
+
+			Tls_Error(statePtr, TCLTLS_SSL_ERROR(statePtr->ssl, bytesRead));
+			*errorCodePtr = ECONNABORTED;
+			bytesRead = -1;
+
+			break;
+		case SSL_ERROR_SYSCALL:
+			backingError = ERR_get_error();
+
+			if (backingError == 0 && bytesRead == 0) {
+				dprintf("EOF reached")
+				*errorCodePtr = 0;
+				bytesRead = 0;
+			} else if (backingError == 0 && bytesRead == -1) {
+				dprintf("I/O error occured (errno = %lu)", (unsigned long) Tcl_GetErrno());
+				*errorCodePtr = Tcl_GetErrno();
+				bytesRead = -1;
+			} else {
+				dprintf("I/O error occured (backingError = %lu)", backingError);
+				*errorCodePtr = backingError;
+				bytesRead = -1;
+			}
+
+			break;
+		case SSL_ERROR_ZERO_RETURN:
+			dprintf("Got SSL_ERROR_ZERO_RETURN, this means an EOF has been reached");
+			bytesRead = 0;
+			*errorCodePtr = 0;
+			break;
+		case SSL_ERROR_WANT_READ:
+			dprintf("Got SSL_ERROR_WANT_READ, mapping this to EAGAIN");
+			bytesRead = -1;
+			*errorCodePtr = EAGAIN;
+			break;
+		default:
+			dprintf("Unknown error (err = %i), mapping to EOF", err);
+			*errorCodePtr = 0;
+			bytesRead = 0;
+			break;
+	}
+
+	dprintf("Input(%d) -> %d [%d]", bufSize, bytesRead, *errorCodePtr);
+	return(bytesRead);
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * TlsOutputProc --
+ *
+ *	This procedure is invoked by the generic IO level
+ *       to write output to a SSL socket based channel.
+ *
+ * Results:
+ *	The number of bytes written is returned. An output argument is
+ *	set to a POSIX error code if an error occurred, or zero.
+ *
+ * Side effects:
+ *	Writes output on the output device of the channel.
+ *
+ *-------------------------------------------------------------------
+ */
+
+static int TlsOutputProc(void *instanceData, const char *buf, int toWrite, int *errorCodePtr) {
+	unsigned long backingError;
+	State *statePtr = (State *) instanceData;
+	int written, err;
+	int tlsConnect;
+
+	*errorCodePtr = 0;
+
+	dprintf("BIO_write(%p, %d)", (void *) statePtr, toWrite);
+	dprintBuffer(buf, toWrite);
+
+	if (statePtr->flags & TLS_TCL_CALLBACK) {
+		dprintf("Don't process output while callbacks are running")
+		written = -1;
+		*errorCodePtr = EAGAIN;
+		return(-1);
+	}
+
+	dprintf("Calling Tls_WaitForConnect");
+	tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 1);
+	if (tlsConnect < 0) {
+		dprintf("Got an error waiting to connect (tlsConnect = %i, *errorCodePtr = %i)", tlsConnect, *errorCodePtr);
+
+		written = -1;
+		if (*errorCodePtr == ECONNRESET) {
+			dprintf("Got connection reset");
+			/* Soft EOF */
+			*errorCodePtr = 0;
+			written = 0;
+		}
+
+		return(written);
+	}
+
+	if (toWrite == 0) {
+		dprintf("zero-write");
+		err = BIO_flush(statePtr->bio);
+
+		if (err <= 0) {
+			dprintf("Flushing failed");
+
+			*errorCodePtr = EIO;
+			written = 0;
+			return(-1);
+		}
+
+		written = 0;
+		*errorCodePtr = 0;
+		return(0);
+	}
+
+	/*
+	 * We need to clear the SSL error stack now because we sometimes reach
+	 * this function with leftover errors in the stack.  If BIO_write
+	 * returns -1 and intends EAGAIN, there is a leftover error, it will be
+	 * misconstrued as an error, not EAGAIN.
+	 *
+	 * Alternatively, we may want to handle the <0 return codes from
+	 * BIO_write specially (as advised in the RSA docs).  TLS's lower level
+	 * BIO functions play with the retry flags though, and this seems to
+	 * work correctly.  Similar fix in TlsInputProc. - hobbs
+	 */
+	ERR_clear_error();
+	written = BIO_write(statePtr->bio, buf, toWrite);
+	dprintf("BIO_write(%p, %d) -> [%d]", (void *) statePtr, toWrite, written);
+
+	err = SSL_get_error(statePtr->ssl, written);
+	switch (err) {
+		case SSL_ERROR_NONE:
+			if (written < 0) {
+				written = 0;
+			}
+			break;
+		case SSL_ERROR_WANT_WRITE:
+			dprintf("Got SSL_ERROR_WANT_WRITE, mapping it to EAGAIN");
+			*errorCodePtr = EAGAIN;
+			written = -1;
+			break;
+		case SSL_ERROR_WANT_READ:
+			dprintf(" write R BLOCK");
+			break;
+		case SSL_ERROR_WANT_X509_LOOKUP:
+			dprintf(" write X BLOCK");
+			break;
+		case SSL_ERROR_ZERO_RETURN:
+			dprintf(" closed");
+			written = 0;
+			*errorCodePtr = 0;
+			break;
+		case SSL_ERROR_SYSCALL:
+			backingError = ERR_get_error();
+
+			if (backingError == 0 && written == 0) {
+				dprintf("EOF reached")
+				*errorCodePtr = 0;
+				written = 0;
+			} else if (backingError == 0 && written == -1) {
+				dprintf("I/O error occured (errno = %lu)", (unsigned long) Tcl_GetErrno());
+				*errorCodePtr = Tcl_GetErrno();
+				written = -1;
+			} else {
+				dprintf("I/O error occured (backingError = %lu)", backingError);
+				*errorCodePtr = backingError;
+				written = -1;
+			}
+
+			break;
+		case SSL_ERROR_SSL:
+			Tls_Error(statePtr, TCLTLS_SSL_ERROR(statePtr->ssl, written));
+			*errorCodePtr = ECONNABORTED;
+			written = -1;
+			break;
+		default:
+			dprintf(" unknown err: %d", err);
+			break;
+	}
+
+	dprintf("Output(%d) -> %d", toWrite, written);
+	return(written);
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * TlsGetOptionProc --
+ *
+ *	Computes an option value for a SSL socket based channel, or a
+ *	list of all options and their values.
+ *
+ * Results:
+ *	A standard Tcl result. The value of the specified option or a
+ *	list of all options and	their values is returned in the
+ *	supplied DString.
+ *
+ * Side effects:
+ *	None.
+ *
+ *-------------------------------------------------------------------
+ */
+static int
+TlsGetOptionProc(void *instanceData,	/* Socket state. */
+	Tcl_Interp *interp,		/* For errors - can be NULL. */
+	const char *optionName,		/* Name of the option to
+					 * retrieve the value for, or
+					 * NULL to get all options and
+					 * their values. */
+	Tcl_DString *dsPtr)		/* Where to store the computed value
+					 * initialized by caller. */
+{
+    State *statePtr = (State *) instanceData;
+
+   Tcl_Channel downChan = Tls_GetParent(statePtr, TLS_TCL_FASTPATH);
+   Tcl_DriverGetOptionProc *getOptionProc;
+
+    getOptionProc = Tcl_ChannelGetOptionProc(Tcl_GetChannelType(downChan));
+    if (getOptionProc != NULL) {
+        return (*getOptionProc)(Tcl_GetChannelInstanceData(downChan), interp, optionName, dsPtr);
+    } else if (optionName == (char*) NULL) {
+        /*
+         * Request is query for all options, this is ok.
+         */
+         return TCL_OK;
+    }
+    /*
+     * Request for a specific option has to fail, we don't have any.
+     */
+    return TCL_ERROR;
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * TlsWatchProc --
+ *
+ *	Initialize the notifier to watch Tcl_Files from this channel.
+ *
+ * Results:
+ *	None.
+ *
+ * Side effects:
+ *	Sets up the notifier so that a future event on the channel
+ *	will be seen by Tcl.
+ *
+ *-------------------------------------------------------------------
+ */
+
+static void
+TlsWatchProc(void *instanceData,	/* The socket state. */
+             int mask)			/* Events of interest; an OR-ed
+                                         * combination of TCL_READABLE,
+                                         * TCL_WRITABLE and TCL_EXCEPTION. */
+{
+    Tcl_Channel     downChan;
+    State *statePtr = (State *) instanceData;
+
+    dprintf("TlsWatchProc(0x%x)", mask);
+
+    /* Pretend to be dead as long as the verify callback is running.
+     * Otherwise that callback could be invoked recursively. */
+    if (statePtr->flags & TLS_TCL_CALLBACK) {
+        dprintf("Callback is on-going, doing nothing");
+        return;
+    }
+
+    dprintFlags(statePtr);
+
+    downChan = Tls_GetParent(statePtr, TLS_TCL_FASTPATH);
+
+    if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) {
+        dprintf("Asked to watch a socket with a failed handshake -- nothing can happen here");
+
+	dprintf("Unregistering interest in the lower channel");
+	(Tcl_GetChannelType(downChan))->watchProc(Tcl_GetChannelInstanceData(downChan), 0);
+
+	statePtr->watchMask = 0;
+
+        return;
+    }
+
+	statePtr->watchMask = mask;
+
+	/* No channel handlers any more. We will be notified automatically
+	 * about events on the channel below via a call to our
+	 * 'TransformNotifyProc'. But we have to pass the interest down now.
+	 * We are allowed to add additional 'interest' to the mask if we want
+	 * to. But this transformation has no such interest. It just passes
+	 * the request down, unchanged.
+	 */
+
+
+        dprintf("Registering our interest in the lower channel (chan=%p)", (void *) downChan);
+	(Tcl_GetChannelType(downChan))
+	    ->watchProc(Tcl_GetChannelInstanceData(downChan), mask);
+
+	/*
+	 * Management of the internal timer.
+	 */
+
+	if (statePtr->timer != (Tcl_TimerToken) NULL) {
+            dprintf("A timer was found, deleting it");
+	    Tcl_DeleteTimerHandler(statePtr->timer);
+	    statePtr->timer = (Tcl_TimerToken) NULL;
+	}
+
+	if (mask & TCL_READABLE) {
+		if (Tcl_InputBuffered(statePtr->self) > 0 || BIO_ctrl_pending(statePtr->bio) > 0) {
+			/*
+			 * There is interest in readable events and we actually have
+			 * data waiting, so generate a timer to flush that.
+			 */
+			dprintf("Creating a new timer since data appears to be waiting");
+			statePtr->timer = Tcl_CreateTimerHandler(TLS_TCL_DELAY, TlsChannelHandlerTimer, statePtr);
+		}
+	}
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * TlsGetHandleProc --
+ *
+ *	Called from Tcl_GetChannelFile to retrieve o/s file handler
+ *	from the SSL socket based channel.
+ *
+ * Results:
+ *	The appropriate Tcl_File or NULL if not present.
+ *
+ * Side effects:
+ *	None.
+ *
+ *-------------------------------------------------------------------
+ */
+static int TlsGetHandleProc(void *instanceData, int direction, void **handlePtr) {
+	State *statePtr = (State *) instanceData;
+
+	return(Tcl_GetChannelHandle(Tls_GetParent(statePtr, TLS_TCL_FASTPATH), direction, handlePtr));
+}
+
+/*
+ *-------------------------------------------------------------------
+ *
+ * TlsNotifyProc --
+ *
+ *	Handler called by Tcl to inform us of activity
+ *	on the underlying channel.
+ *
+ * Results:
+ *	None.
+ *
+ * Side effects:
+ *	May process the incoming event by itself.
+ *
+ *-------------------------------------------------------------------
+ */
+
+static int TlsNotifyProc(void *instanceData, int mask) {
+	State *statePtr = (State *) instanceData;
+	int errorCode;
+
+	/*
+	 * An event occured in the underlying channel.  This
+	 * transformation doesn't process such events thus returns the
+	 * incoming mask unchanged.
+	 */
+	if (statePtr->timer != (Tcl_TimerToken) NULL) {
+		/*
+		 * Delete an existing timer. It was not fired, yet we are
+		 * here, so the channel below generated such an event and we
+		 * don't have to. The renewal of the interest after the
+		 * execution of channel handlers will eventually cause us to
+		 * recreate the timer (in WatchProc).
+		 */
+		Tcl_DeleteTimerHandler(statePtr->timer);
+		statePtr->timer = (Tcl_TimerToken) NULL;
+	}
+
+	if (statePtr->flags & TLS_TCL_CALLBACK) {
+		dprintf("Returning 0 due to callback");
+		return 0;
+	}
+
+	dprintf("Calling Tls_WaitForConnect");
+	errorCode = 0;
+	if (Tls_WaitForConnect(statePtr, &errorCode, 1) < 0) {
+		if (errorCode == EAGAIN) {
+			dprintf("Async flag could be set (didn't check) and errorCode == EAGAIN:  Returning 0");
+
+			return 0;
+		}
+
+		dprintf("Tls_WaitForConnect returned an error");
+	}
+
+	dprintf("Returning %i", mask);
+
+	return(mask);
+}
+
+#if 0
+/*
+ *------------------------------------------------------*
+ *
+ *      TlsChannelHandler --
+ *
+ *      ------------------------------------------------*
+ *      Handler called by Tcl as a result of
+ *      Tcl_CreateChannelHandler - to inform us of activity
+ *      on the underlying channel.
+ *      ------------------------------------------------*
+ *
+ *      Sideeffects:
+ *              May generate subsequent calls to
+ *              Tcl_NotifyChannel.
+ *
+ *      Result:
+ *              None.
+ *
+ *------------------------------------------------------*
+ */
+
+static void
+TlsChannelHandler (clientData, mask)
+    void *    clientData;
+    int            mask;
+{
+    State *statePtr = (State *) clientData;
+
+    dprintf("HANDLER(0x%x)", mask);
+    Tcl_Preserve(statePtr);
+
+    if (mask & TCL_READABLE) {
+	BIO_set_flags(statePtr->p_bio, BIO_FLAGS_READ);
+    } else {
+	BIO_clear_flags(statePtr->p_bio, BIO_FLAGS_READ);
+    }
+
+    if (mask & TCL_WRITABLE) {
+	BIO_set_flags(statePtr->p_bio, BIO_FLAGS_WRITE);
+    } else {
+	BIO_clear_flags(statePtr->p_bio, BIO_FLAGS_WRITE);
+    }
+
+    mask = 0;
+    if (BIO_wpending(statePtr->bio)) {
+	mask |= TCL_WRITABLE;
+    }
+    if (BIO_pending(statePtr->bio)) {
+	mask |= TCL_READABLE;
+    }
+
+    /*
+     * The following NotifyChannel calls seems to be important, but
+     * we don't know why.  It looks like if the mask is ever non-zero
+     * that it will enter an infinite loop.
+     *
+     * Notify the upper channel of the current BIO state so the event
+     * continues to propagate up the chain.
+     *
+     * stanton: It looks like this could result in an infinite loop if
+     * the upper channel doesn't cause ChannelHandler to be removed
+     * before Tcl_NotifyChannel calls channel handlers on the lower channel.
+     */
+
+    Tcl_NotifyChannel(statePtr->self, mask);
+
+    if (statePtr->timer != (Tcl_TimerToken)NULL) {
+	Tcl_DeleteTimerHandler(statePtr->timer);
+	statePtr->timer = (Tcl_TimerToken)NULL;
+    }
+    if ((mask & TCL_READABLE) && Tcl_InputBuffered(statePtr->self) > 0) {
+	/*
+	 * Data is waiting, flush it out in short time
+	 */
+	statePtr->timer = Tcl_CreateTimerHandler(TLS_TCL_DELAY,
+		TlsChannelHandlerTimer, statePtr);
+    }
+    Tcl_Release(statePtr);
+}
+#endif
+
+/*
+ *------------------------------------------------------*
+ *
+ *	TlsChannelHandlerTimer --
+ *
+ *	------------------------------------------------*
+ *	Called by the notifier (-> timer) to flush out
+ *	information waiting in channel buffers.
+ *	------------------------------------------------*
+ *
+ *	Sideeffects:
+ *		As of 'TlsChannelHandler'.
+ *
+ *	Result:
+ *		None.
+ *
+ *------------------------------------------------------*
+ */
+
+static void TlsChannelHandlerTimer(void *clientData) {
+	State *statePtr = (State *) clientData;
+	int mask = 0;
+
+	dprintf("Called");
+
+	statePtr->timer = (Tcl_TimerToken) NULL;
+
+	if (BIO_wpending(statePtr->bio)) {
+		dprintf("[chan=%p] BIO writable", statePtr->self);
+
+		mask |= TCL_WRITABLE;
+	}
+
+	if (BIO_pending(statePtr->bio)) {
+		dprintf("[chan=%p] BIO readable", statePtr->self);
+
+		mask |= TCL_READABLE;
+	}
+
+	dprintf("Notifying ourselves");
+	Tcl_NotifyChannel(statePtr->self, mask);
+
+	dprintf("Returning");
+
+	return;
+}
+
+Tcl_Channel Tls_GetParent(State *statePtr, int maskFlags) {
+	dprintf("Requested to get parent of channel %p", statePtr->self);
+
+	if ((statePtr->flags & ~maskFlags) & TLS_TCL_FASTPATH) {
+		dprintf("Asked to get the parent channel while we are using FastPath -- returning NULL");
+		return(NULL);
+	}
+
+	return(Tcl_GetStackedChannel(statePtr->self));
+}

ADDED   generic/tlsInt.h
Index: generic/tlsInt.h
==================================================================
--- /dev/null
+++ generic/tlsInt.h
@@ -0,0 +1,198 @@
+/*
+ * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com>
+ *
+ * TLS (aka SSL) Channel - can be layered on any bi-directional
+ * Tcl_Channel (Note: Requires Trf Core Patch)
+ *
+ * This was built from scratch based upon observation of OpenSSL 0.9.2B
+ *
+ * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for
+ * providing the Tcl_ReplaceChannel mechanism and working closely with me
+ * to enhance it to support full fileevent semantics.
+ *
+ * Also work done by the follow people provided the impetus to do this "right":-
+ *	tclSSL (Colin McCormack, Shared Technology)
+ *	SSLtcl (Peter Antman)
+ *
+ */
+#ifndef _TLSINT_H
+#define _TLSINT_H
+
+#include "tls.h"
+#include <errno.h>
+#include <string.h>
+#include <stdint.h>
+
+#ifdef __WIN32__
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#include <wincrypt.h> /* OpenSSL needs this on Windows */
+#endif
+
+#ifdef NO_PATENTS
+#  define NO_IDEA
+#  define NO_RC2
+#  define NO_RC4
+#  define NO_RC5
+#  define NO_RSA
+#  ifndef NO_SSL2
+#    define NO_SSL2
+#  endif
+#endif
+
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/opensslv.h>
+
+/*
+ * Determine if we should use the pre-OpenSSL 1.1.0 API
+ */
+#undef TCLTLS_OPENSSL_PRE_1_1
+#if (defined(LIBRESSL_VERSION_NUMBER)) || OPENSSL_VERSION_NUMBER < 0x10100000L
+#  define TCLTLS_OPENSSL_PRE_1_1_API 1
+#endif
+
+#ifndef ECONNABORTED
+#define ECONNABORTED	130	/* Software caused connection abort */
+#endif
+#ifndef ECONNRESET
+#define ECONNRESET	131	/* Connection reset by peer */
+#endif
+
+#ifdef TCLEXT_TCLTLS_DEBUG
+#include <ctype.h>
+#define dprintf(...) { \
+                       char dprintfBuffer[8192], *dprintfBuffer_p; \
+                       dprintfBuffer_p = &dprintfBuffer[0]; \
+                       dprintfBuffer_p += sprintf(dprintfBuffer_p, "%s:%i:%s():", __FILE__, __LINE__, __func__); \
+                       dprintfBuffer_p += sprintf(dprintfBuffer_p, __VA_ARGS__); \
+                       fprintf(stderr, "%s\n", dprintfBuffer); \
+                     }
+#define dprintBuffer(bufferName, bufferLength) { \
+                                                 int dprintBufferIdx; \
+                                                 unsigned char dprintBufferChar; \
+                                                 fprintf(stderr, "%s:%i:%s():%s[%llu]={", __FILE__, __LINE__, __func__, #bufferName, (unsigned long long) bufferLength); \
+                                                 for (dprintBufferIdx = 0; dprintBufferIdx < bufferLength; dprintBufferIdx++) { \
+                                                         dprintBufferChar = bufferName[dprintBufferIdx]; \
+                                                         if (isalpha(dprintBufferChar) || isdigit(dprintBufferChar)) { \
+                                                                 fprintf(stderr, "'%c' ", dprintBufferChar); \
+                                                         } else { \
+                                                                 fprintf(stderr, "%02x ", (unsigned int) dprintBufferChar); \
+                                                         }; \
+                                                 }; \
+                                                 fprintf(stderr, "}\n"); \
+                                               }
+#define dprintFlags(statePtr) { \
+                                char dprintfBuffer[8192], *dprintfBuffer_p; \
+                                dprintfBuffer_p = &dprintfBuffer[0]; \
+                                dprintfBuffer_p += sprintf(dprintfBuffer_p, "%s:%i:%s():%s->flags=0", __FILE__, __LINE__, __func__, #statePtr); \
+                                if (((statePtr)->flags & TLS_TCL_ASYNC) == TLS_TCL_ASYNC) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_ASYNC"); }; \
+                                if (((statePtr)->flags & TLS_TCL_SERVER) == TLS_TCL_SERVER) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_SERVER"); }; \
+                                if (((statePtr)->flags & TLS_TCL_INIT) == TLS_TCL_INIT) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_INIT"); }; \
+                                if (((statePtr)->flags & TLS_TCL_DEBUG) == TLS_TCL_DEBUG) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_DEBUG"); }; \
+                                if (((statePtr)->flags & TLS_TCL_CALLBACK) == TLS_TCL_CALLBACK) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_CALLBACK"); }; \
+                                if (((statePtr)->flags & TLS_TCL_HANDSHAKE_FAILED) == TLS_TCL_HANDSHAKE_FAILED) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_HANDSHAKE_FAILED"); }; \
+                                if (((statePtr)->flags & TLS_TCL_FASTPATH) == TLS_TCL_FASTPATH) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_FASTPATH"); }; \
+                                fprintf(stderr, "%s\n", dprintfBuffer); \
+                              }
+#else
+#define dprintf(...) if (0) { fprintf(stderr, __VA_ARGS__); }
+#define dprintBuffer(bufferName, bufferLength) /**/
+#define dprintFlags(statePtr) /**/
+#endif
+
+#define TCLTLS_SSL_ERROR(ssl,err) ((char*)ERR_reason_error_string((unsigned long)SSL_get_error((ssl),(err))))
+/*
+ * OpenSSL BIO Routines
+ */
+#define BIO_TYPE_TCL	(19|0x0400)
+
+/*
+ * Defines for State.flags
+ */
+#define TLS_TCL_ASYNC	(1<<0)	/* non-blocking mode */
+#define TLS_TCL_SERVER	(1<<1)	/* Server-Side */
+#define TLS_TCL_INIT	(1<<2)	/* Initializing connection */
+#define TLS_TCL_DEBUG	(1<<3)	/* Show debug tracing */
+#define TLS_TCL_CALLBACK	(1<<4)	/* In a callback, prevent update
+					 * looping problem. [Bug 1652380] */
+#define TLS_TCL_HANDSHAKE_FAILED (1<<5) /* Set on handshake failures and once
+                                         * set, all further I/O will result
+                                         * in ECONNABORTED errors. */
+#define TLS_TCL_FASTPATH (1<<6)         /* The parent channel is being used directly by the SSL library */
+#define TLS_TCL_DELAY (5)
+
+/*
+ * This structure describes the per-instance state
+ * of an ssl channel.
+ *
+ * The SSL processing context is maintained here, in the ClientData
+ */
+typedef struct State {
+	Tcl_Channel self;       /* this socket channel */
+	Tcl_TimerToken timer;
+
+	int flags;              /* see State.flags above  */
+	int watchMask;          /* current WatchProc mask */
+	int mode;               /* current mode of parent channel */
+
+	Tcl_Interp *interp;     /* interpreter in which this resides */
+	Tcl_Obj *callback;      /* script called for tracing, verifying and errors */
+	Tcl_Obj *password;      /* script called for certificate password */
+
+	int vflags;             /* verify flags */
+	SSL *ssl;               /* Struct for SSL processing */
+	SSL_CTX *ctx;           /* SSL Context */
+	BIO *bio;               /* Struct for SSL processing */
+	BIO *p_bio;             /* Parent BIO (that is layered on Tcl_Channel) */
+
+	const char *err;
+} State;
+
+#ifdef USE_TCL_STUBS
+#ifndef Tcl_StackChannel
+#error "Unable to compile on this version of Tcl"
+#endif /* Tcl_GetStackedChannel */
+#endif /* USE_TCL_STUBS */
+
+#ifndef JOIN
+#  define JOIN(a,b) JOIN1(a,b)
+#  define JOIN1(a,b) a##b
+#endif
+
+#ifndef TCL_UNUSED
+# if defined(__cplusplus)
+#   define TCL_UNUSED(T) T
+# elif defined(__GNUC__) && (__GNUC__ > 2)
+#   define TCL_UNUSED(T) T JOIN(dummy, __LINE__) __attribute__((unused))
+# else
+#   define TCL_UNUSED(T) T JOIN(dummy, __LINE__)
+# endif
+#endif
+
+#if (TCL_MAJOR_VERSION < 9) && defined(TCL_MINOR_VERSION) && (TCL_MINOR_VERSION < 7) && !defined(Tcl_Size)
+#   define Tcl_Size int
+#endif
+
+/*
+ * Forward declarations
+ */
+const Tcl_ChannelType *Tls_ChannelType(void);
+Tcl_Channel     Tls_GetParent(State *statePtr, int maskFlags);
+
+Tcl_Obj         *Tls_NewX509Obj(Tcl_Interp *interp, X509 *cert);
+void            Tls_Error(State *statePtr, char *msg);
+#if TCL_MAJOR_VERSION > 8
+void            Tls_Free(void *blockPtr);
+#else
+void            Tls_Free(char *blockPtr);
+#endif
+void            Tls_Clean(State *statePtr);
+int             Tls_WaitForConnect(State *statePtr, int *errorCodePtr, int handshakeFailureIsPermanent);
+
+BIO             *BIO_new_tcl(State* statePtr, int flags);
+
+#define PTR2INT(x) ((int) ((intptr_t) (x)))
+
+#endif /* _TLSINT_H */

ADDED   generic/tlsX509.c
Index: generic/tlsX509.c
==================================================================
--- /dev/null
+++ generic/tlsX509.c
@@ -0,0 +1,209 @@
+/*
+ * Copyright (C) 1997-2000 Sensus Consulting Ltd.
+ * Matt Newman <matt@sensus.org>
+ */
+#include "tlsInt.h"
+
+/*
+ *  Ensure these are not macros - known to be defined on Win32
+ */
+#ifdef min
+#undef min
+#endif
+
+#ifdef max
+#undef max
+#endif
+
+static int min(int a, int b)
+{
+    return (a < b) ? a : b;
+}
+
+static int max(int a, int b)
+{
+    return (a > b) ? a : b;
+}
+
+/*
+ * ASN1_UTCTIME_tostr --
+ */
+static char *
+ASN1_UTCTIME_tostr(ASN1_UTCTIME *tm)
+{
+    static char bp[128];
+    char *v;
+    int gmt=0;
+    static char *mon[12]={
+        "Jan","Feb","Mar","Apr","May","Jun",
+        "Jul","Aug","Sep","Oct","Nov","Dec"};
+    int i;
+    int y=0,M=0,d=0,h=0,m=0,s=0;
+
+    i=tm->length;
+    v=(char *)tm->data;
+
+    if (i < 10) goto err;
+    if (v[i-1] == 'Z') gmt=1;
+    for (i=0; i<10; i++)
+        if ((v[i] > '9') || (v[i] < '0')) goto err;
+    y= (v[0]-'0')*10+(v[1]-'0');
+    if (y < 70) y+=100;
+    M= (v[2]-'0')*10+(v[3]-'0');
+    if ((M > 12) || (M < 1)) goto err;
+    d= (v[4]-'0')*10+(v[5]-'0');
+    h= (v[6]-'0')*10+(v[7]-'0');
+    m=  (v[8]-'0')*10+(v[9]-'0');
+    if (	(v[10] >= '0') && (v[10] <= '9') &&
+		(v[11] >= '0') && (v[11] <= '9'))
+        s=  (v[10]-'0')*10+(v[11]-'0');
+
+    sprintf(bp,"%s %2d %02d:%02d:%02d %d%s",
+                   mon[M-1],d,h,m,s,y+1900,(gmt)?" GMT":"");
+    return bp;
+ err:
+    return "Bad time value";
+}
+
+/*
+ *------------------------------------------------------*
+ *
+ *	Tls_NewX509Obj --
+ *
+ *	------------------------------------------------*
+ *	Converts a X509 certificate into a Tcl_Obj
+ *	------------------------------------------------*
+ *
+ *	Sideeffects:
+ *		None
+ *
+ *	Result:
+ *		A Tcl List Object representing the provided
+ *		X509 certificate.
+ *
+ *------------------------------------------------------*
+ */
+
+#define CERT_STR_SIZE 16384
+
+Tcl_Obj*
+Tls_NewX509Obj( interp, cert)
+    Tcl_Interp *interp;
+    X509 *cert;
+{
+    Tcl_Obj *certPtr = Tcl_NewListObj( 0, NULL);
+    BIO *bio;
+    int n;
+    unsigned long flags;
+    char subject[BUFSIZ];
+    char issuer[BUFSIZ];
+    char serial[BUFSIZ];
+    char notBefore[BUFSIZ];
+    char notAfter[BUFSIZ];
+    char certStr[CERT_STR_SIZE], *certStr_p;
+    int certStr_len, toRead;
+#ifndef NO_SSL_SHA
+    int shai;
+    char sha_hash_ascii[SHA_DIGEST_LENGTH * 2 + 1];
+    unsigned char sha_hash_binary[SHA_DIGEST_LENGTH];
+    const char *shachars="0123456789ABCDEF";
+
+    sha_hash_ascii[SHA_DIGEST_LENGTH * 2] = '\0';
+#endif
+
+    certStr[0] = 0;
+    if ((bio = BIO_new(BIO_s_mem())) == NULL) {
+	subject[0] = 0;
+	issuer[0]  = 0;
+	serial[0]  = 0;
+    } else {
+	flags = XN_FLAG_RFC2253 | ASN1_STRFLGS_UTF8_CONVERT;
+	flags &= ~ASN1_STRFLGS_ESC_MSB;
+
+	X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, flags);
+	n = BIO_read(bio, subject, min(BIO_pending(bio), BUFSIZ - 1));
+	n = max(n, 0);
+	subject[n] = 0;
+	(void)BIO_flush(bio);
+
+	X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0, flags);
+	n = BIO_read(bio, issuer, min(BIO_pending(bio), BUFSIZ - 1));
+	n = max(n, 0);
+	issuer[n] = 0;
+	(void)BIO_flush(bio);
+
+	i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert));
+	n = BIO_read(bio, serial, min(BIO_pending(bio), BUFSIZ - 1));
+	n = max(n, 0);
+	serial[n] = 0;
+	(void)BIO_flush(bio);
+
+        if (PEM_write_bio_X509(bio, cert)) {
+            certStr_p = certStr;
+            certStr_len = 0;
+            while (1) {
+                toRead = min(BIO_pending(bio), CERT_STR_SIZE - certStr_len - 1);
+                toRead = min(toRead, BUFSIZ);
+                if (toRead == 0) {
+                    break;
+                }
+                dprintf("Reading %i bytes from the certificate...", toRead);
+                n = BIO_read(bio, certStr_p, toRead);
+                if (n <= 0) {
+                    break;
+                }
+                certStr_len += n;
+                certStr_p   += n;
+            }
+            *certStr_p = '\0';
+            (void)BIO_flush(bio);
+        }
+
+	BIO_free(bio);
+    }
+
+    strcpy( notBefore, ASN1_UTCTIME_tostr( X509_get_notBefore(cert) ));
+    strcpy( notAfter, ASN1_UTCTIME_tostr( X509_get_notAfter(cert) ));
+
+#ifndef NO_SSL_SHA
+    X509_digest(cert, EVP_sha1(), sha_hash_binary, NULL);
+    for (shai = 0; shai < SHA_DIGEST_LENGTH; shai++) {
+        sha_hash_ascii[shai * 2]     = shachars[(sha_hash_binary[shai] & 0xF0) >> 4];
+        sha_hash_ascii[shai * 2 + 1] = shachars[(sha_hash_binary[shai] & 0x0F)];
+    }
+    Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj("sha1_hash", -1) );
+    Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj(sha_hash_ascii, SHA_DIGEST_LENGTH * 2) );
+
+#endif
+    Tcl_ListObjAppendElement( interp, certPtr,
+	    Tcl_NewStringObj( "subject", -1) );
+    Tcl_ListObjAppendElement( interp, certPtr,
+	    Tcl_NewStringObj( subject, -1) );
+
+    Tcl_ListObjAppendElement( interp, certPtr,
+	    Tcl_NewStringObj( "issuer", -1) );
+    Tcl_ListObjAppendElement( interp, certPtr,
+	    Tcl_NewStringObj( issuer, -1) );
+
+    Tcl_ListObjAppendElement( interp, certPtr,
+	    Tcl_NewStringObj( "notBefore", -1) );
+    Tcl_ListObjAppendElement( interp, certPtr,
+	    Tcl_NewStringObj( notBefore, -1) );
+
+    Tcl_ListObjAppendElement( interp, certPtr,
+	    Tcl_NewStringObj( "notAfter", -1) );
+    Tcl_ListObjAppendElement( interp, certPtr,
+	    Tcl_NewStringObj( notAfter, -1) );
+
+    Tcl_ListObjAppendElement( interp, certPtr,
+	    Tcl_NewStringObj( "serial", -1) );
+    Tcl_ListObjAppendElement( interp, certPtr,
+	    Tcl_NewStringObj( serial, -1) );
+
+    Tcl_ListObjAppendElement( interp, certPtr,
+	    Tcl_NewStringObj( "certificate", -1) );
+    Tcl_ListObjAppendElement( interp, certPtr,
+	    Tcl_NewStringObj( certStr, -1) );
+
+    return certPtr;
+}

DELETED tclOpts.h
Index: tclOpts.h
==================================================================
--- tclOpts.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- *  Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com>
- *
- * Stylized option processing - requires consitent
- * external vars: opt, idx, objc, objv
- */
-#ifndef _TCL_OPTS_H
-#define _TCL_OPTS_H
-
-#define OPT_PROLOG(option)			\
-    if (strcmp(opt, (option)) == 0) {		\
-	if (++idx >= objc) {			\
-	    Tcl_AppendResult(interp,		\
-		"no argument given for ",	\
-		(option), " option",		\
-		(char *) NULL);			\
-	    return TCL_ERROR;			\
-	}
-#define OPT_POSTLOG()				\
-	continue;				\
-    }
-#define OPTOBJ(option, var)			\
-    OPT_PROLOG(option)				\
-    var = objv[idx];				\
-    OPT_POSTLOG()
-
-#define OPTSTR(option, var)			\
-    OPT_PROLOG(option)				\
-    var = Tcl_GetString(objv[idx]);\
-    OPT_POSTLOG()
-
-#define OPTINT(option, var)			\
-    OPT_PROLOG(option)				\
-    if (Tcl_GetIntFromObj(interp, objv[idx],	\
-	    &(var)) != TCL_OK) {		\
-	    return TCL_ERROR;			\
-    }						\
-    OPT_POSTLOG()
-
-#define OPTBOOL(option, var)			\
-    OPT_PROLOG(option)				\
-    if (Tcl_GetBooleanFromObj(interp, objv[idx],\
-	    &(var)) != TCL_OK) {		\
-	    return TCL_ERROR;			\
-    }						\
-    OPT_POSTLOG()
-
-#define OPTBYTE(option, var, lvar)			\
-    OPT_PROLOG(option)				\
-    var = Tcl_GetByteArrayFromObj(objv[idx], &(lvar));\
-    OPT_POSTLOG()
-
-#define OPTBAD(type, list)			\
-    Tcl_AppendResult(interp, "bad ", (type),	\
-		" \"", opt, "\": must be ",	\
-		(list), (char *) NULL)
-
-#endif /* _TCL_OPTS_H */

DELETED tls.c
Index: tls.c
==================================================================
--- tls.c
+++ /dev/null
@@ -1,1947 +0,0 @@
-/*
- * Copyright (C) 1997-1999 Matt Newman <matt@novadigm.com>
- * some modifications:
- *	Copyright (C) 2000 Ajuba Solutions
- *	Copyright (C) 2002 ActiveState Corporation
- *	Copyright (C) 2004 Starfish Systems
- *
- * TLS (aka SSL) Channel - can be layered on any bi-directional
- * Tcl_Channel (Note: Requires Trf Core Patch)
- *
- * This was built (almost) from scratch based upon observation of
- * OpenSSL 0.9.2B
- *
- * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for
- * providing the Tcl_ReplaceChannel mechanism and working closely with me
- * to enhance it to support full fileevent semantics.
- *
- * Also work done by the follow people provided the impetus to do this "right":
- *	tclSSL (Colin McCormack, Shared Technology)
- *	SSLtcl (Peter Antman)
- *
- */
-
-#include "tlsInt.h"
-#include "tclOpts.h"
-#include <stdlib.h>
-
-/*
- * External functions
- */
-
-/*
- * Forward declarations
- */
-
-#define F2N( key, dsp) \
-	(((key) == NULL) ? (char *) NULL : \
-		Tcl_TranslateFileName(interp, (key), (dsp)))
-#define REASON()	ERR_reason_error_string(ERR_get_error())
-
-static void	InfoCallback(const SSL *ssl, int where, int ret);
-
-static Tcl_ObjCmdProc CiphersObjCmd;
-static Tcl_ObjCmdProc HandshakeObjCmd;
-static Tcl_ObjCmdProc ImportObjCmd;
-static Tcl_ObjCmdProc StatusObjCmd;
-static Tcl_ObjCmdProc VersionObjCmd;
-static Tcl_ObjCmdProc MiscObjCmd;
-static Tcl_ObjCmdProc UnimportObjCmd;
-
-static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key,
-			char *certfile, unsigned char *key_asn1, unsigned char *cert_asn1,
-			int key_asn1_len, int cert_asn1_len, char *CAdir, char *CAfile,
-      char *ciphers, char *DHparams);
-
-static int	TlsLibInit(int uninitialize);
-
-#define TLS_PROTO_SSL2		0x01
-#define TLS_PROTO_SSL3		0x02
-#define TLS_PROTO_TLS1		0x04
-#define TLS_PROTO_TLS1_1	0x08
-#define TLS_PROTO_TLS1_2	0x10
-#define TLS_PROTO_TLS1_3	0x20
-#define ENABLED(flag, mask)	(((flag) & (mask)) == (mask))
-
-/*
- * Static data structures
- */
-
-#ifndef OPENSSL_NO_DH
-#include "dh_params.h"
-#endif
-
-/*
- * We lose the tcl password callback when we use the RSA BSAFE SSL-C 1.1.2
- * libraries instead of the current OpenSSL libraries.
- */
-
-#ifdef BSAFE
-#define PRE_OPENSSL_0_9_4 1
-#endif
-
-/*
- * Pre OpenSSL 0.9.4 Compat
- */
-
-#ifndef STACK_OF
-#define STACK_OF(x)			STACK
-#define sk_SSL_CIPHER_num(sk)		sk_num((sk))
-#define sk_SSL_CIPHER_value( sk, index)	(SSL_CIPHER*)sk_value((sk), (index))
-#endif
-
-/*
- * Thread-Safe TLS Code
- */
-
-#ifdef TCL_THREADS
-#define OPENSSL_THREAD_DEFINES
-#include <openssl/opensslconf.h>
-
-#ifdef OPENSSL_THREADS
-#include <openssl/crypto.h>
-
-/*
- * Threaded operation requires locking callbacks
- * Based from /crypto/cryptlib.c of OpenSSL and NSOpenSSL.
- */
-
-static Tcl_Mutex *locks = NULL;
-static int locksCount = 0;
-static Tcl_Mutex init_mx;
-
-void CryptoThreadLockCallback(int mode, int n, const char *file, int line) {
-
-	if (mode & CRYPTO_LOCK) {
-		/* This debugging is turned off by default -- it's too noisy. */
-		/* dprintf("Called to lock (n=%i of %i)", n, locksCount); */
-		Tcl_MutexLock(&locks[n]);
-	} else {
-		/* dprintf("Called to unlock (n=%i of %i)", n, locksCount); */
-		Tcl_MutexUnlock(&locks[n]);
-	}
-
-	/* dprintf("Returning"); */
-
-	return;
-	file = file;
-	line = line;
-}
-
-unsigned long CryptoThreadIdCallback(void) {
-	unsigned long ret;
-
-	dprintf("Called");
-
-	ret = (unsigned long) Tcl_GetCurrentThread();
-
-	dprintf("Returning %lu", ret);
-
-	return(ret);
-}
-#endif /* OPENSSL_THREADS */
-#endif /* TCL_THREADS */
-
-
-/*
- *-------------------------------------------------------------------
- *
- * InfoCallback --
- *
- *	monitors SSL connection process
- *
- * Results:
- *	None
- *
- * Side effects:
- *	Calls callback (if defined)
- *-------------------------------------------------------------------
- */
-static void
-InfoCallback(const SSL *ssl, int where, int ret)
-{
-    State *statePtr = (State*)SSL_get_app_data((SSL *)ssl);
-    Tcl_Obj *cmdPtr;
-    const char *major, *minor;
-
-    dprintf("Called");
-
-    if (statePtr->callback == (Tcl_Obj*)NULL)
-	return;
-
-    cmdPtr = Tcl_DuplicateObj(statePtr->callback);
-
-#if 0
-    if (where & SSL_CB_ALERT) {
-	sev = SSL_alert_type_string_long(ret);
-	if (strcmp( sev, "fatal")==0) {	/* Map to error */
-	    Tls_Error(statePtr, SSL_ERROR(ssl, 0));
-	    return;
-	}
-    }
-#endif
-    if (where & SSL_CB_HANDSHAKE_START) {
-	major = "handshake";
-	minor = "start";
-    } else if (where & SSL_CB_HANDSHAKE_DONE) {
-	major = "handshake";
-	minor = "done";
-    } else {
-	if (where & SSL_CB_ALERT)		major = "alert";
-	else if (where & SSL_ST_CONNECT)	major = "connect";
-	else if (where & SSL_ST_ACCEPT)		major = "accept";
-	else					major = "unknown";
-
-	if (where & SSL_CB_READ)		minor = "read";
-	else if (where & SSL_CB_WRITE)		minor = "write";
-	else if (where & SSL_CB_LOOP)		minor = "loop";
-	else if (where & SSL_CB_EXIT)		minor = "exit";
-	else					minor = "unknown";
-    }
-
-    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
-	    Tcl_NewStringObj( "info", -1));
-
-    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
-	    Tcl_NewStringObj( Tcl_GetChannelName(statePtr->self), -1) );
-
-    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
-	    Tcl_NewStringObj( major, -1) );
-
-    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
-	    Tcl_NewStringObj( minor, -1) );
-
-    if (where & (SSL_CB_LOOP|SSL_CB_EXIT)) {
-	Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
-	    Tcl_NewStringObj( SSL_state_string_long(ssl), -1) );
-    } else if (where & SSL_CB_ALERT) {
-	const char *cp = (char *) SSL_alert_desc_string_long(ret);
-
-	Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
-	    Tcl_NewStringObj( cp, -1) );
-    } else {
-	Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
-	    Tcl_NewStringObj( SSL_state_string_long(ssl), -1) );
-    }
-    Tcl_Preserve( (ClientData) statePtr->interp);
-    Tcl_Preserve( (ClientData) statePtr);
-
-    Tcl_IncrRefCount( cmdPtr);
-    (void) Tcl_EvalObjEx(statePtr->interp, cmdPtr, TCL_EVAL_GLOBAL);
-    Tcl_DecrRefCount( cmdPtr);
-
-    Tcl_Release( (ClientData) statePtr);
-    Tcl_Release( (ClientData) statePtr->interp);
-
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * VerifyCallback --
- *
- *	Monitors SSL certificate validation process.
- *	This is called whenever a certificate is inspected
- *	or decided invalid.
- *
- * Results:
- *	A callback bound to the socket may return one of:
- *	    0			- the certificate is deemed invalid
- *	    1			- the certificate is deemed valid
- *	    empty string	- no change to certificate validation
- *
- * Side effects:
- *	The err field of the currently operative State is set
- *	  to a string describing the SSL negotiation failure reason
- *-------------------------------------------------------------------
- */
-static int
-VerifyCallback(int ok, X509_STORE_CTX *ctx)
-{
-    Tcl_Obj *cmdPtr, *result;
-    char *errStr, *string;
-    Tcl_Size length;
-    SSL   *ssl		= (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
-    X509  *cert		= X509_STORE_CTX_get_current_cert(ctx);
-    State *statePtr	= (State*)SSL_get_app_data(ssl);
-    int depth		= X509_STORE_CTX_get_error_depth(ctx);
-    int err		= X509_STORE_CTX_get_error(ctx);
-
-    dprintf("Verify: %d", ok);
-
-    if (!ok) {
-	errStr = (char*)X509_verify_cert_error_string(err);
-    } else {
-	errStr = (char *)0;
-    }
-
-    if (statePtr->callback == (Tcl_Obj*)NULL) {
-	if (statePtr->vflags & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
-	    return ok;
-	} else {
-	    return 1;
-	}
-    }
-    cmdPtr = Tcl_DuplicateObj(statePtr->callback);
-
-    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
-	    Tcl_NewStringObj( "verify", -1));
-
-    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
-	    Tcl_NewStringObj( Tcl_GetChannelName(statePtr->self), -1) );
-
-    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
-	    Tcl_NewIntObj( depth) );
-
-    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
-	    Tls_NewX509Obj( statePtr->interp, cert) );
-
-    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
-	    Tcl_NewIntObj( ok) );
-
-    Tcl_ListObjAppendElement( statePtr->interp, cmdPtr,
-	    Tcl_NewStringObj( errStr ? errStr : "", -1) );
-
-    Tcl_Preserve( (ClientData) statePtr->interp);
-    Tcl_Preserve( (ClientData) statePtr);
-
-    statePtr->flags |= TLS_TCL_CALLBACK;
-
-    Tcl_IncrRefCount( cmdPtr);
-    if (Tcl_EvalObjEx(statePtr->interp, cmdPtr, TCL_EVAL_GLOBAL) != TCL_OK) {
-	/* It got an error - reject the certificate.		*/
-	Tcl_BackgroundError( statePtr->interp);
-	ok = 0;
-    } else {
-	result = Tcl_GetObjResult(statePtr->interp);
-	string = Tcl_GetStringFromObj(result, &length);
-	/* An empty result leaves verification unchanged.	*/
-	if (string != NULL && length > 0) {
-	    if (Tcl_GetIntFromObj(statePtr->interp, result, &ok) != TCL_OK) {
-		Tcl_BackgroundError(statePtr->interp);
-		ok = 0;
-	    }
-	}
-    }
-    Tcl_DecrRefCount( cmdPtr);
-
-    statePtr->flags &= ~(TLS_TCL_CALLBACK);
-
-    Tcl_Release( (ClientData) statePtr);
-    Tcl_Release( (ClientData) statePtr->interp);
-
-    return(ok);	/* By default, leave verification unchanged.	*/
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * Tls_Error --
- *
- *	Calls callback with $fd and $msg - so the callback can decide
- *	what to do with errors.
- *
- * Side effects:
- *	The err field of the currently operative State is set
- *	  to a string describing the SSL negotiation failure reason
- *-------------------------------------------------------------------
- */
-void
-Tls_Error(State *statePtr, char *msg)
-{
-    Tcl_Obj *cmdPtr;
-
-    dprintf("Called");
-
-    if (msg && *msg) {
-	Tcl_SetErrorCode(statePtr->interp, "SSL", msg, (char *)NULL);
-    } else {
-	msg = Tcl_GetString(Tcl_GetObjResult(statePtr->interp));
-    }
-    statePtr->err = msg;
-
-    if (statePtr->callback == (Tcl_Obj*)NULL) {
-	char buf[BUFSIZ];
-	sprintf(buf, "SSL channel \"%s\": error: %s",
-	    Tcl_GetChannelName(statePtr->self), msg);
-	Tcl_SetResult( statePtr->interp, buf, TCL_VOLATILE);
-	Tcl_BackgroundError( statePtr->interp);
-	return;
-    }
-    cmdPtr = Tcl_DuplicateObj(statePtr->callback);
-
-    Tcl_ListObjAppendElement(statePtr->interp, cmdPtr,
-	    Tcl_NewStringObj("error", -1));
-
-    Tcl_ListObjAppendElement(statePtr->interp, cmdPtr,
-	    Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1));
-
-    Tcl_ListObjAppendElement(statePtr->interp, cmdPtr,
-	    Tcl_NewStringObj(msg, -1));
-
-    Tcl_Preserve((ClientData) statePtr->interp);
-    Tcl_Preserve((ClientData) statePtr);
-
-    Tcl_IncrRefCount(cmdPtr);
-    if (Tcl_EvalObjEx(statePtr->interp, cmdPtr, TCL_EVAL_GLOBAL) != TCL_OK) {
-	Tcl_BackgroundError(statePtr->interp);
-    }
-    Tcl_DecrRefCount(cmdPtr);
-
-    Tcl_Release((ClientData) statePtr);
-    Tcl_Release((ClientData) statePtr->interp);
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * PasswordCallback --
- *
- *	Called when a password is needed to unpack RSA and PEM keys.
- *	Evals any bound password script and returns the result as
- *	the password string.
- *-------------------------------------------------------------------
- */
-#ifdef PRE_OPENSSL_0_9_4
-/*
- * No way to handle user-data therefore no way without a global
- * variable to access the Tcl interpreter.
-*/
-static int
-PasswordCallback(char *buf, int size, int verify)
-{
-    return -1;
-    	buf = buf;
-	size = size;
-	verify = verify;
-}
-#else
-static int
-PasswordCallback(char *buf, int size, int verify, void *udata)
-{
-    State *statePtr	= (State *) udata;
-    Tcl_Interp *interp	= statePtr->interp;
-    Tcl_Obj *cmdPtr;
-    int result;
-
-    dprintf("Called");
-
-    if (statePtr->password == NULL) {
-	if (Tcl_EvalEx(interp, "tls::password", -1, TCL_EVAL_GLOBAL)
-		== TCL_OK) {
-	    char *ret = (char *) Tcl_GetStringResult(interp);
-	    strncpy(buf, ret, (size_t) size);
-	    return (int)strlen(ret);
-	} else {
-	    return -1;
-	}
-    }
-
-    cmdPtr = Tcl_DuplicateObj(statePtr->password);
-
-    Tcl_Preserve((ClientData) statePtr->interp);
-    Tcl_Preserve((ClientData) statePtr);
-
-    Tcl_IncrRefCount(cmdPtr);
-    result = Tcl_EvalObjEx(interp, cmdPtr, TCL_EVAL_GLOBAL);
-    if (result != TCL_OK) {
-	Tcl_BackgroundError(statePtr->interp);
-    }
-    Tcl_DecrRefCount(cmdPtr);
-
-    Tcl_Release((ClientData) statePtr);
-    Tcl_Release((ClientData) statePtr->interp);
-
-    if (result == TCL_OK) {
-	char *ret = (char *) Tcl_GetStringResult(interp);
-	strncpy(buf, ret, (size_t) size);
-	return (int)strlen(ret);
-    } else {
-	return -1;
-    }
-    	verify = verify;
-}
-#endif
-
-/*
- *-------------------------------------------------------------------
- *
- * CiphersObjCmd -- list available ciphers
- *
- *	This procedure is invoked to process the "tls::ciphers" command
- *	to list available ciphers, based upon protocol selected.
- *
- * Results:
- *	A standard Tcl result list.
- *
- * Side effects:
- *	constructs and destroys SSL context (CTX)
- *
- *-------------------------------------------------------------------
- */
-static int
-CiphersObjCmd(
-    TCL_UNUSED(void *),
-    Tcl_Interp *interp,
-    int objc,
-    Tcl_Obj	*const objv[])
-{
-    static const char *protocols[] = {
-	"ssl2",	"ssl3",	"tls1",	"tls1.1", "tls1.2", "tls1.3", NULL
-    };
-    enum protocol {
-	TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_TLS1_3, TLS_NONE
-    };
-    Tcl_Obj *objPtr;
-    SSL_CTX *ctx = NULL;
-    SSL *ssl = NULL;
-    STACK_OF(SSL_CIPHER) *sk;
-    char *cp, buf[BUFSIZ];
-    int index, verbose = 0;
-
-    dprintf("Called");
-
-    if (objc < 2 || objc > 3) {
-	Tcl_WrongNumArgs(interp, 1, objv, "protocol ?verbose?");
-	return TCL_ERROR;
-    }
-    if (Tcl_GetIndexFromObj( interp, objv[1], protocols, "protocol", 0,
-	&index) != TCL_OK) {
-	return TCL_ERROR;
-    }
-    if (objc > 2 && Tcl_GetBooleanFromObj( interp, objv[2],
-	&verbose) != TCL_OK) {
-	return TCL_ERROR;
-    }
-    switch ((enum protocol)index) {
-    case TLS_SSL2:
-#if defined(NO_SSL2)
-		Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
-		return TCL_ERROR;
-#else
-		ctx = SSL_CTX_new(SSLv2_method()); break;
-#endif
-    case TLS_SSL3:
-#if defined(NO_SSL3)
-		Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
-		return TCL_ERROR;
-#else
-		ctx = SSL_CTX_new(SSLv3_method()); break;
-#endif
-    case TLS_TLS1:
-#if defined(NO_TLS1)
-		Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
-		return TCL_ERROR;
-#else
-		ctx = SSL_CTX_new(TLSv1_method()); break;
-#endif
-    case TLS_TLS1_1:
-#if defined(NO_TLS1_1)
-		Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
-		return TCL_ERROR;
-#else
-		ctx = SSL_CTX_new(TLSv1_1_method()); break;
-#endif
-    case TLS_TLS1_2:
-#if defined(NO_TLS1_2)
-		Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
-		return TCL_ERROR;
-#else
-		ctx = SSL_CTX_new(TLSv1_2_method()); break;
-#endif
-    case TLS_TLS1_3:
-#if defined(NO_TLS1_3)
-		Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
-		return TCL_ERROR;
-#else
-		ctx = SSL_CTX_new(TLS_method()); break;
-                SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION);
-                SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION);
-#endif
-    default:
-		break;
-    }
-    if (ctx == NULL) {
-	Tcl_AppendResult(interp, REASON(), (char *) NULL);
-	return TCL_ERROR;
-    }
-    ssl = SSL_new(ctx);
-    if (ssl == NULL) {
-	Tcl_AppendResult(interp, REASON(), (char *) NULL);
-	SSL_CTX_free(ctx);
-	return TCL_ERROR;
-    }
-    objPtr = Tcl_NewListObj( 0, NULL);
-
-    if (!verbose) {
-	for (index = 0; ; index++) {
-	    cp = (char*)SSL_get_cipher_list( ssl, index);
-	    if (cp == NULL) break;
-	    Tcl_ListObjAppendElement( interp, objPtr,
-		Tcl_NewStringObj( cp, -1) );
-	}
-    } else {
-	sk = SSL_get_ciphers(ssl);
-
-	for (index = 0; index < sk_SSL_CIPHER_num(sk); index++) {
-	    size_t i;
-	    SSL_CIPHER_description( sk_SSL_CIPHER_value( sk, index),
-				    buf, sizeof(buf));
-	    for (i = strlen(buf) - 1; i ; i--) {
-		if (buf[i] == ' ' || buf[i] == '\n' ||
-		    buf[i] == '\r' || buf[i] == '\t') {
-		    buf[i] = '\0';
-		} else {
-		    break;
-		}
-	    }
-	    Tcl_ListObjAppendElement( interp, objPtr,
-		Tcl_NewStringObj( buf, -1) );
-	}
-    }
-    SSL_free(ssl);
-    SSL_CTX_free(ctx);
-
-    Tcl_SetObjResult( interp, objPtr);
-    return TCL_OK;
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * HandshakeObjCmd --
- *
- *	This command is used to verify whether the handshake is complete
- *	or not.
- *
- * Results:
- *	A standard Tcl result. 1 means handshake complete, 0 means pending.
- *
- * Side effects:
- *	May force SSL negotiation to take place.
- *
- *-------------------------------------------------------------------
- */
-
-static int HandshakeObjCmd(
-    TCL_UNUSED(void *),
-    Tcl_Interp *interp,
-    int objc,
-    Tcl_Obj *const objv[])
-{
-	Tcl_Channel chan;		/* The channel to set a mode on. */
-	State *statePtr;		/* client state for ssl socket */
-	const char *errStr = NULL;
-	int ret = 1;
-	int err = 0;
-
-	dprintf("Called");
-
-	if (objc != 2) {
-		Tcl_WrongNumArgs(interp, 1, objv, "channel");
-		return(TCL_ERROR);
-	}
-
-	chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL);
-	if (chan == (Tcl_Channel) NULL) {
-		return(TCL_ERROR);
-	}
-
-	/*
-	 * Make sure to operate on the topmost channel
-	 */
-	chan = Tcl_GetTopChannel(chan);
-	if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
-		Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), "\": not a TLS channel", (char *)NULL);
-		return(TCL_ERROR);
-	}
-	statePtr = (State *)Tcl_GetChannelInstanceData(chan);
-
-	dprintf("Calling Tls_WaitForConnect");
-	ret = Tls_WaitForConnect(statePtr, &err, 1);
-	dprintf("Tls_WaitForConnect returned: %i", ret);
-
-	if (
-	    ret < 0 && \
-	    ((statePtr->flags & TLS_TCL_ASYNC) && err == EAGAIN)
-	) {
-		dprintf("Async set and err = EAGAIN");
-		ret = 0;
-	} else if (ret < 0) {
-		errStr = statePtr->err;
-		Tcl_ResetResult(interp);
-		Tcl_SetErrno(err);
-
-		if (!errStr || *errStr == 0) {
-			errStr = Tcl_PosixError(interp);
-		}
-
-		Tcl_AppendResult(interp, "handshake failed: ", errStr, (char *) NULL);
-		dprintf("Returning TCL_ERROR with handshake failed: %s", errStr);
-		return(TCL_ERROR);
-	} else {
-		if (err != 0) {
-			dprintf("Got an error with a completed handshake: err = %i", err);
-		}
-
-		ret = 1;
-	}
-
-	dprintf("Returning TCL_OK with data \"%i\"", ret);
-	Tcl_SetObjResult(interp, Tcl_NewIntObj(ret));
-	return(TCL_OK);
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * ImportObjCmd --
- *
- *	This procedure is invoked to process the "ssl" command
- *
- *	The ssl command pushes SSL over a (newly connected) tcp socket
- *
- * Results:
- *	A standard Tcl result.
- *
- * Side effects:
- *	May modify the behavior of an IO channel.
- *
- *-------------------------------------------------------------------
- */
-
-static int
-ImportObjCmd(
-    TCL_UNUSED(void *),
-    Tcl_Interp *interp,
-    int objc,
-    Tcl_Obj *const objv[])
-{
-    Tcl_Channel chan;		/* The channel to set a mode on. */
-    State *statePtr;		/* client state for ssl socket */
-    SSL_CTX *ctx	        = NULL;
-    Tcl_Obj *script	        = NULL;
-    Tcl_Obj *password	        = NULL;
-    Tcl_DString upperChannelTranslation, upperChannelBlocking, upperChannelEncoding, upperChannelEOFChar;
-    int idx;
-    Tcl_Size len;
-    int flags		        = TLS_TCL_INIT;
-    int server		        = 0;	/* is connection incoming or outgoing? */
-    char *keyfile	        = NULL;
-    char *certfile	        = NULL;
-    unsigned char *key  	= NULL;
-    Tcl_Size key_len        = 0;
-    unsigned char *cert     = NULL;
-    Tcl_Size cert_len       = 0;
-    char *ciphers	        = NULL;
-    char *CAfile	        = NULL;
-    char *CAdir		        = NULL;
-    char *DHparams	        = NULL;
-    char *model		        = NULL;
-#ifndef OPENSSL_NO_TLSEXT
-    char *servername	        = NULL;	/* hostname for Server Name Indication */
-#endif
-    int ssl2 = 0, ssl3 = 0;
-    int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1;
-    int proto = 0;
-    int verify = 0, require = 0, request = 1;
-
-    dprintf("Called");
-
-#if defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_SSL3) && !defined(NO_SSL2)
-    ssl2 = 1;
-#endif
-#if defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_SSL2) && !defined(NO_SSL3)
-    ssl3 = 1;
-#endif
-#if defined(NO_TLS1)
-    tls1 = 0;
-#endif
-#if defined(NO_TLS1_1)
-    tls1_1 = 0;
-#endif
-#if defined(NO_TLS1_2)
-    tls1_2 = 0;
-#endif
-#if defined(NO_TLS1_3)
-    tls1_3 = 0;
-#endif
-
-    if (objc < 2) {
-	Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?");
-	return TCL_ERROR;
-    }
-
-    chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL);
-    if (chan == (Tcl_Channel) NULL) {
-	return TCL_ERROR;
-    }
-
-    /*
-     * Make sure to operate on the topmost channel
-     */
-    chan = Tcl_GetTopChannel(chan);
-
-    for (idx = 2; idx < objc; idx++) {
-	char *opt = Tcl_GetString(objv[idx]);
-
-	if (opt[0] != '-')
-	    break;
-
-	OPTSTR( "-cadir", CAdir);
-	OPTSTR( "-cafile", CAfile);
-	OPTSTR( "-certfile", certfile);
-	OPTSTR( "-cipher", ciphers);
-	OPTOBJ( "-command", script);
-	OPTSTR( "-dhparams", DHparams);
-	OPTSTR( "-keyfile", keyfile);
-	OPTSTR( "-model", model);
-	OPTOBJ( "-password", password);
-	OPTBOOL( "-require", require);
-	OPTBOOL( "-request", request);
-	OPTBOOL( "-server", server);
-#ifndef OPENSSL_NO_TLSEXT
-        OPTSTR( "-servername", servername);
-#endif
-
-	OPTBOOL( "-ssl2", ssl2);
-	OPTBOOL( "-ssl3", ssl3);
-	OPTBOOL( "-tls1", tls1);
-	OPTBOOL( "-tls1.1", tls1_1);
-	OPTBOOL( "-tls1.2", tls1_2);
-	OPTBOOL( "-tls1.3", tls1_3)
-	OPTBYTE("-cert", cert, cert_len);
-	OPTBYTE("-key", key, key_len);
-
-	OPTBAD( "option", "-cadir, -cafile, -cert, -certfile, -cipher, -command, -dhparams, -key, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, or tls1.3");
-
-	return TCL_ERROR;
-    }
-    if (request)	    verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER;
-    if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
-    if (verify == 0)	verify = SSL_VERIFY_NONE;
-
-    proto |= (ssl2 ? TLS_PROTO_SSL2 : 0);
-    proto |= (ssl3 ? TLS_PROTO_SSL3 : 0);
-    proto |= (tls1 ? TLS_PROTO_TLS1 : 0);
-    proto |= (tls1_1 ? TLS_PROTO_TLS1_1 : 0);
-    proto |= (tls1_2 ? TLS_PROTO_TLS1_2 : 0);
-    proto |= (tls1_3 ? TLS_PROTO_TLS1_3 : 0);
-
-    /* reset to NULL if blank string provided */
-    if (cert && !*cert)		        cert	        = NULL;
-    if (key && !*key)		        key	        = NULL;
-    if (certfile && !*certfile)         certfile	= NULL;
-    if (keyfile && !*keyfile)		keyfile	        = NULL;
-    if (ciphers && !*ciphers)	        ciphers	        = NULL;
-    if (CAfile && !*CAfile)	        CAfile	        = NULL;
-    if (CAdir && !*CAdir)	        CAdir	        = NULL;
-    if (DHparams && !*DHparams)	        DHparams        = NULL;
-
-    /* new SSL state */
-    statePtr		= (State *) ckalloc((unsigned) sizeof(State));
-    memset(statePtr, 0, sizeof(State));
-
-    statePtr->flags	= flags;
-    statePtr->interp	= interp;
-    statePtr->vflags	= verify;
-    statePtr->err	= "";
-
-    /* allocate script */
-    if (script) {
-	(void) Tcl_GetStringFromObj(script, &len);
-	if (len) {
-	    statePtr->callback = script;
-	    Tcl_IncrRefCount(statePtr->callback);
-	}
-    }
-
-    /* allocate password */
-    if (password) {
-	(void) Tcl_GetStringFromObj(password, &len);
-	if (len) {
-	    statePtr->password = password;
-	    Tcl_IncrRefCount(statePtr->password);
-	}
-    }
-
-    if (model != NULL) {
-	int mode;
-	/* Get the "model" context */
-	chan = Tcl_GetChannel(interp, model, &mode);
-	if (chan == (Tcl_Channel) NULL) {
-	    Tls_Free((void *)statePtr);
-	    return TCL_ERROR;
-	}
-
-        /*
-         * Make sure to operate on the topmost channel
-         */
-        chan = Tcl_GetTopChannel(chan);
-	if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
-	    Tcl_AppendResult(interp, "bad channel \"",
-		    Tcl_GetChannelName(chan), "\": not a TLS channel", (char *)NULL);
-	    Tls_Free((void *)statePtr);
-	    return TCL_ERROR;
-	}
-	ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx;
-    } else {
-	if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key,
-    cert, key_len, cert_len, CAdir, CAfile, ciphers,
-    DHparams)) == (SSL_CTX*)0) {
-	    Tls_Free((void *)statePtr);
-	    return TCL_ERROR;
-	}
-    }
-
-    statePtr->ctx = ctx;
-
-    /*
-     * We need to make sure that the channel works in binary (for the
-     * encryption not to get goofed up).
-     * We only want to adjust the buffering in pre-v2 channels, where
-     * each channel in the stack maintained its own buffers.
-     */
-    Tcl_DStringInit(&upperChannelTranslation);
-    Tcl_DStringInit(&upperChannelBlocking);
-    Tcl_DStringInit(&upperChannelEOFChar);
-    Tcl_DStringInit(&upperChannelEncoding);
-    Tcl_GetChannelOption(interp, chan, "-eofchar", &upperChannelEOFChar);
-    Tcl_GetChannelOption(interp, chan, "-encoding", &upperChannelEncoding);
-    Tcl_GetChannelOption(interp, chan, "-translation", &upperChannelTranslation);
-    Tcl_GetChannelOption(interp, chan, "-blocking", &upperChannelBlocking);
-    Tcl_SetChannelOption(interp, chan, "-translation", "binary");
-    Tcl_SetChannelOption(interp, chan, "-blocking", "true");
-    dprintf("Consuming Tcl channel %s", Tcl_GetChannelName(chan));
-    statePtr->self = Tcl_StackChannel(interp, Tls_ChannelType(), statePtr, (TCL_READABLE | TCL_WRITABLE), chan);
-    dprintf("Created channel named %s", Tcl_GetChannelName(statePtr->self));
-    if (statePtr->self == (Tcl_Channel) NULL) {
-	/*
-	 * No use of Tcl_EventuallyFree because no possible Tcl_Preserve.
-	 */
-	Tls_Free((void *)statePtr);
-	return TCL_ERROR;
-    }
-
-    Tcl_SetChannelOption(interp, statePtr->self, "-translation", Tcl_DStringValue(&upperChannelTranslation));
-    Tcl_SetChannelOption(interp, statePtr->self, "-encoding", Tcl_DStringValue(&upperChannelEncoding));
-    Tcl_SetChannelOption(interp, statePtr->self, "-eofchar", Tcl_DStringValue(&upperChannelEOFChar));
-    Tcl_SetChannelOption(interp, statePtr->self, "-blocking", Tcl_DStringValue(&upperChannelBlocking));
-
-    /*
-     * SSL Initialization
-     */
-
-    statePtr->ssl = SSL_new(statePtr->ctx);
-    if (!statePtr->ssl) {
-	/* SSL library error */
-	Tcl_AppendResult(interp, "couldn't construct ssl session: ", REASON(),
-		(char *) NULL);
-	Tls_Free((void *)statePtr);
-	return TCL_ERROR;
-    }
-
-#ifndef OPENSSL_NO_TLSEXT
-    if (servername) {
-        if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) {
-            Tcl_AppendResult(interp, "setting TLS host name extension failed",
-                (char *) NULL);
-            Tls_Free((void *)statePtr);
-            return TCL_ERROR;
-        }
-    }
-#endif
-
-    /*
-     * SSL Callbacks
-     */
-
-    SSL_set_app_data(statePtr->ssl, (void *)statePtr);	/* point back to us */
-
-    SSL_set_verify(statePtr->ssl, verify, VerifyCallback);
-
-    SSL_CTX_set_info_callback(statePtr->ctx, InfoCallback);
-
-    /* Create Tcl_Channel BIO Handler */
-    statePtr->p_bio	= BIO_new_tcl(statePtr, BIO_NOCLOSE);
-    statePtr->bio	= BIO_new(BIO_f_ssl());
-
-    if (server) {
-	statePtr->flags |= TLS_TCL_SERVER;
-	SSL_set_accept_state(statePtr->ssl);
-    } else {
-	SSL_set_connect_state(statePtr->ssl);
-    }
-    SSL_set_bio(statePtr->ssl, statePtr->p_bio, statePtr->p_bio);
-    BIO_set_ssl(statePtr->bio, statePtr->ssl, BIO_NOCLOSE);
-
-    /*
-     * End of SSL Init
-     */
-    dprintf("Returning %s", Tcl_GetChannelName(statePtr->self));
-    Tcl_SetResult(interp, (char *) Tcl_GetChannelName(statePtr->self),
-	    TCL_VOLATILE);
-    return TCL_OK;
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * UnimportObjCmd --
- *
- *	This procedure is invoked to remove the topmost channel filter.
- *
- * Results:
- *	A standard Tcl result.
- *
- * Side effects:
- *	May modify the behavior of an IO channel.
- *
- *-------------------------------------------------------------------
- */
-
-static int
-UnimportObjCmd(
-    TCL_UNUSED(void *),
-    Tcl_Interp *interp,
-    int objc,
-    Tcl_Obj *const objv[])
-{
-    Tcl_Channel chan;		/* The channel to set a mode on. */
-
-    dprintf("Called");
-
-    if (objc != 2) {
-	Tcl_WrongNumArgs(interp, 1, objv, "channel");
-	return TCL_ERROR;
-    }
-
-    chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL);
-    if (chan == (Tcl_Channel) NULL) {
-	return TCL_ERROR;
-    }
-
-    /*
-     * Make sure to operate on the topmost channel
-     */
-    chan = Tcl_GetTopChannel(chan);
-
-    if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
-	Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan),
-		"\": not a TLS channel", (char *)NULL);
-	return TCL_ERROR;
-    }
-
-    if (Tcl_UnstackChannel(interp, chan) == TCL_ERROR) {
-	return TCL_ERROR;
-    }
-
-    return TCL_OK;
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * CTX_Init -- construct a SSL_CTX instance
- *
- * Results:
- *	A valid SSL_CTX instance or NULL.
- *
- * Side effects:
- *	constructs SSL context (CTX)
- *
- *-------------------------------------------------------------------
- */
-
-static SSL_CTX *
-CTX_Init(
-    State *statePtr,
-    TCL_UNUSED(int) /* isServer */,
-    int proto,
-    char *keyfile,
-    char *certfile,
-    unsigned char *key,
-    unsigned char *cert,
-    int key_len,
-    int cert_len,
-    char *CAdir,
-    char *CAfile,
-    char *ciphers,
-    char *DHparams)
-{
-    Tcl_Interp *interp = statePtr->interp;
-    SSL_CTX *ctx = NULL;
-    Tcl_DString ds;
-    Tcl_DString ds1;
-    int off = 0;
-    int load_private_key;
-    const SSL_METHOD *method;
-
-    dprintf("Called");
-
-    if (!proto) {
-	Tcl_AppendResult(interp, "no valid protocol selected", (char *)NULL);
-	return (SSL_CTX *)0;
-    }
-
-    /* create SSL context */
-#if defined(NO_SSL2)
-    if (ENABLED(proto, TLS_PROTO_SSL2)) {
-	Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
-	return (SSL_CTX *)0;
-    }
-#endif
-#if defined(NO_SSL3)
-    if (ENABLED(proto, TLS_PROTO_SSL3)) {
-	Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
-	return (SSL_CTX *)0;
-    }
-#endif
-#if defined(NO_TLS1)
-    if (ENABLED(proto, TLS_PROTO_TLS1)) {
-	Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
-	return (SSL_CTX *)0;
-    }
-#endif
-#if defined(NO_TLS1_1)
-    if (ENABLED(proto, TLS_PROTO_TLS1_1)) {
-	Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
-	return (SSL_CTX *)0;
-    }
-#endif
-#if defined(NO_TLS1_2)
-    if (ENABLED(proto, TLS_PROTO_TLS1_2)) {
-	Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
-	return (SSL_CTX *)0;
-    }
-#endif
-#if defined(NO_TLS1_3)
-    if (ENABLED(proto, TLS_PROTO_TLS1_3)) {
-	Tcl_AppendResult(interp, "protocol not supported", (char *)NULL);
-	return (SSL_CTX *)0;
-    }
-#endif
-
-    switch (proto) {
-#if !defined(NO_SSL2)
-    case TLS_PROTO_SSL2:
-	method = SSLv2_method ();
-	break;
-#endif
-#if !defined(NO_SSL3)
-    case TLS_PROTO_SSL3:
-	method = SSLv3_method ();
-	break;
-#endif
-#if !defined(NO_TLS1)
-    case TLS_PROTO_TLS1:
-	method = TLSv1_method ();
-	break;
-#endif
-#if !defined(NO_TLS1_1)
-    case TLS_PROTO_TLS1_1:
-	method = TLSv1_1_method ();
-	break;
-#endif
-#if !defined(NO_TLS1_2)
-    case TLS_PROTO_TLS1_2:
-	method = TLSv1_2_method ();
-	break;
-#endif
-#if !defined(NO_TLS1_3)
-    case TLS_PROTO_TLS1_3:
-        /*
-         * The version range is constrained below,
-         * after the context is created.  Use the
-         * generic method here.
-         */
-	method = TLS_method ();
-	break;
-#endif
-    default:
-#ifdef HAVE_TLS_METHOD
-        method = TLS_method ();
-#else
-        method = SSLv23_method ();
-#endif
-#if !defined(NO_SSL2)
-	off |= (ENABLED(proto, TLS_PROTO_SSL2)   ? 0 : SSL_OP_NO_SSLv2);
-#endif
-#if !defined(NO_SSL3)
-	off |= (ENABLED(proto, TLS_PROTO_SSL3)   ? 0 : SSL_OP_NO_SSLv3);
-#endif
-#if !defined(NO_TLS1)
-	off |= (ENABLED(proto, TLS_PROTO_TLS1)   ? 0 : SSL_OP_NO_TLSv1);
-#endif
-#if !defined(NO_TLS1_1)
-	off |= (ENABLED(proto, TLS_PROTO_TLS1_1) ? 0 : SSL_OP_NO_TLSv1_1);
-#endif
-#if !defined(NO_TLS1_2)
-	off |= (ENABLED(proto, TLS_PROTO_TLS1_2) ? 0 : SSL_OP_NO_TLSv1_2);
-#endif
-#if !defined(NO_TLS1_3)
-	off |= (ENABLED(proto, TLS_PROTO_TLS1_3) ? 0 : SSL_OP_NO_TLSv1_3);
-#endif
-	break;
-    }
-
-    ctx = SSL_CTX_new (method);
-
-    if (!ctx) {
-        return(NULL);
-    }
-
-#if !defined(NO_TLS1_3)
-    if (proto == TLS_PROTO_TLS1_3) {
-        SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION);
-        SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION);
-    }
-#endif
-
-    SSL_CTX_set_app_data( ctx, (void*)interp);	/* remember the interpreter */
-    SSL_CTX_set_options( ctx, SSL_OP_ALL);	/* all SSL bug workarounds */
-    SSL_CTX_set_options( ctx, off);	/* all SSL bug workarounds */
-    SSL_CTX_sess_set_cache_size( ctx, 128);
-
-    if (ciphers != NULL)
-	SSL_CTX_set_cipher_list(ctx, ciphers);
-
-    /* set some callbacks */
-    SSL_CTX_set_default_passwd_cb(ctx, PasswordCallback);
-
-#ifndef BSAFE
-    SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)statePtr);
-#endif
-
-    /* read a Diffie-Hellman parameters file, or use the built-in one */
-#ifdef OPENSSL_NO_DH
-    if (DHparams != NULL) {
-	Tcl_AppendResult(interp,
-	    "DH parameter support not available", (char *) NULL);
-	SSL_CTX_free(ctx);
-	return (SSL_CTX *)0;
-    }
-#else
-    {
-	DH* dh;
-	if (DHparams != NULL) {
-	    BIO *bio;
-	    Tcl_DStringInit(&ds);
-	    bio = BIO_new_file(F2N(DHparams, &ds), "r");
-	    if (!bio) {
-		Tcl_DStringFree(&ds);
-		Tcl_AppendResult(interp,
-		    "Could not find DH parameters file", (char *) NULL);
-		SSL_CTX_free(ctx);
-		return (SSL_CTX *)0;
-	    }
-
-	    dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
-	    BIO_free(bio);
-	    Tcl_DStringFree(&ds);
-	    if (!dh) {
-		Tcl_AppendResult(interp,
-		    "Could not read DH parameters from file", (char *) NULL);
-		SSL_CTX_free(ctx);
-		return (SSL_CTX *)0;
-	    }
-	} else {
-	    dh = get_dhParams();
-	}
-	SSL_CTX_set_tmp_dh(ctx, dh);
-	DH_free(dh);
-    }
-#endif
-
-    /* set our certificate */
-    load_private_key = 0;
-    if (certfile != NULL) {
-	load_private_key = 1;
-
-	Tcl_DStringInit(&ds);
-
-	if (SSL_CTX_use_certificate_file(ctx, F2N( certfile, &ds),
-					SSL_FILETYPE_PEM) <= 0) {
-	    Tcl_DStringFree(&ds);
-	    Tcl_AppendResult(interp,
-			     "unable to set certificate file ", certfile, ": ",
-			     REASON(), (char *) NULL);
-	    SSL_CTX_free(ctx);
-	    return (SSL_CTX *)0;
-	}
-    } else if (cert != NULL) {
-	load_private_key = 1;
-	if (SSL_CTX_use_certificate_ASN1(ctx, cert_len, cert) <= 0) {
-	    Tcl_DStringFree(&ds);
-	    Tcl_AppendResult(interp,
-			     "unable to set certificate: ",
-			     REASON(), (char *) NULL);
-	    SSL_CTX_free(ctx);
-	    return (SSL_CTX *)0;
-	}
-    } else {
-	certfile = (char*)X509_get_default_cert_file();
-
-	if (SSL_CTX_use_certificate_file(ctx, certfile,
-					SSL_FILETYPE_PEM) <= 0) {
-#if 0
-	    Tcl_DStringFree(&ds);
-	    Tcl_AppendResult(interp,
-			     "unable to use default certificate file ", certfile, ": ",
-			     REASON(), (char *) NULL);
-	    SSL_CTX_free(ctx);
-	    return (SSL_CTX *)0;
-#endif
-	}
-    }
-
-    /* set our private key */
-    if (load_private_key) {
-	if (keyfile == NULL && key == NULL) {
-	    keyfile = certfile;
-	}
-
-	if (keyfile != NULL) {
-	    /* get the private key associated with this certificate */
-	    if (keyfile == NULL) {
-		keyfile = certfile;
-	    }
-
-	    if (SSL_CTX_use_PrivateKey_file(ctx, F2N( keyfile, &ds), SSL_FILETYPE_PEM) <= 0) {
-		Tcl_DStringFree(&ds);
-		/* flush the passphrase which might be left in the result */
-		Tcl_SetResult(interp, NULL, TCL_STATIC);
-		Tcl_AppendResult(interp,
-			         "unable to set public key file ", keyfile, " ",
-			         REASON(), (char *) NULL);
-		SSL_CTX_free(ctx);
-		return (SSL_CTX *)0;
-	    }
-
-	    Tcl_DStringFree(&ds);
-	} else if (key != NULL) {
-	    if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, ctx, key,key_len) <= 0) {
-		Tcl_DStringFree(&ds);
-		/* flush the passphrase which might be left in the result */
-		Tcl_SetResult(interp, NULL, TCL_STATIC);
-		Tcl_AppendResult(interp,
-		                 "unable to set public key: ",
-		                 REASON(), (char *) NULL);
-		SSL_CTX_free(ctx);
-		return (SSL_CTX *)0;
-	    }
-	}
-	/* Now we know that a key and cert have been set against
-	 * the SSL context */
-	if (!SSL_CTX_check_private_key(ctx)) {
-	    Tcl_AppendResult(interp,
-			     "private key does not match the certificate public key",
-			     (char *) NULL);
-	    SSL_CTX_free(ctx);
-	    return (SSL_CTX *)0;
-	}
-    }
-
-    /* Set verification CAs */
-    Tcl_DStringInit(&ds);
-    Tcl_DStringInit(&ds1);
-    if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CAdir, &ds1)) ||
-	!SSL_CTX_set_default_verify_paths(ctx)) {
-#if 0
-	Tcl_DStringFree(&ds);
-	Tcl_DStringFree(&ds1);
-	/* Don't currently care if this fails */
-	Tcl_AppendResult(interp, "SSL default verify paths: ",
-		REASON(), (char *) NULL);
-	SSL_CTX_free(ctx);
-	return (SSL_CTX *)0;
-#endif
-    }
-
-    /* https://sourceforge.net/p/tls/bugs/57/ */
-    /* XXX:TODO: Let the user supply values here instead of something that exists on the filesystem */
-    if ( CAfile != NULL ) {
-        STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file( F2N(CAfile, &ds) );
-	if ( certNames != NULL ) {
-	    SSL_CTX_set_client_CA_list(ctx, certNames );
-	}
-    }
-
-    Tcl_DStringFree(&ds);
-    Tcl_DStringFree(&ds1);
-    return ctx;
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * StatusObjCmd -- return certificate for connected peer.
- *
- * Results:
- *	A standard Tcl result.
- *
- * Side effects:
- *	None.
- *
- *-------------------------------------------------------------------
- */
-static int
-StatusObjCmd(
-    TCL_UNUSED(void *),
-    Tcl_Interp *interp,
-    int objc,
-    Tcl_Obj	*const objv[])
-{
-    State *statePtr;
-    X509 *peer;
-    Tcl_Obj *objPtr;
-    Tcl_Channel chan;
-    char *channelName, *ciphers;
-    int mode;
-
-    dprintf("Called");
-
-    switch (objc) {
-	case 2:
-	    channelName = Tcl_GetString(objv[1]);
-	    break;
-
-	case 3:
-	    if (!strcmp (Tcl_GetString (objv[1]), "-local")) {
-		channelName = Tcl_GetString(objv[2]);
-		break;
-	    }
-	    /* fallthrough */
-	default:
-	    Tcl_WrongNumArgs(interp, 1, objv, "?-local? channel");
-	    return TCL_ERROR;
-    }
-
-    chan = Tcl_GetChannel(interp, channelName, &mode);
-    if (chan == (Tcl_Channel) NULL) {
-	return TCL_ERROR;
-    }
-    /*
-     * Make sure to operate on the topmost channel
-     */
-    chan = Tcl_GetTopChannel(chan);
-    if (Tcl_GetChannelType(chan) != Tls_ChannelType()) {
-	Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan),
-		"\": not a TLS channel", (char *)NULL);
-	return TCL_ERROR;
-    }
-    statePtr = (State *) Tcl_GetChannelInstanceData(chan);
-    if (objc == 2) {
-	peer = SSL_get_peer_certificate(statePtr->ssl);
-    } else {
-	peer = SSL_get_certificate(statePtr->ssl);
-    }
-    if (peer) {
-	objPtr = Tls_NewX509Obj(interp, peer);
-	if (objc == 2) { X509_free(peer); }
-    } else {
-	objPtr = Tcl_NewListObj(0, NULL);
-    }
-
-    Tcl_ListObjAppendElement (interp, objPtr,
-	    Tcl_NewStringObj ("sbits", -1));
-    Tcl_ListObjAppendElement (interp, objPtr,
-	    Tcl_NewIntObj (SSL_get_cipher_bits (statePtr->ssl, NULL)));
-
-    ciphers = (char*)SSL_get_cipher(statePtr->ssl);
-    if (ciphers != NULL && strcmp(ciphers, "(NONE)")!=0) {
-	Tcl_ListObjAppendElement(interp, objPtr,
-		Tcl_NewStringObj("cipher", -1));
-	Tcl_ListObjAppendElement(interp, objPtr,
-		Tcl_NewStringObj(SSL_get_cipher(statePtr->ssl), -1));
-    }
-
-    Tcl_ListObjAppendElement(interp, objPtr,
-	Tcl_NewStringObj("version", -1));
-    Tcl_ListObjAppendElement(interp, objPtr,
-	Tcl_NewStringObj(SSL_get_version(statePtr->ssl), -1));
-
-    Tcl_SetObjResult( interp, objPtr);
-    return TCL_OK;
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * VersionObjCmd -- return version string from OpenSSL.
- *
- * Results:
- *	A standard Tcl result.
- *
- * Side effects:
- *	None.
- *
- *-------------------------------------------------------------------
- */
-static int
-VersionObjCmd(
-    TCL_UNUSED(void *),
-    Tcl_Interp *interp,
-    TCL_UNUSED(int) /* objc */,
-    TCL_UNUSED(Tcl_Obj *const *) /* objv */)
-{
-    Tcl_Obj *objPtr;
-
-    dprintf("Called");
-
-    objPtr = Tcl_NewStringObj(OPENSSL_VERSION_TEXT, -1);
-
-    Tcl_SetObjResult(interp, objPtr);
-    return TCL_OK;
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * MiscObjCmd -- misc commands
- *
- * Results:
- *	A standard Tcl result.
- *
- * Side effects:
- *	None.
- *
- *-------------------------------------------------------------------
- */
-static int
-MiscObjCmd(
-    TCL_UNUSED(void *),
-    Tcl_Interp *interp,
-    int objc,
-    Tcl_Obj	*const objv[])
-{
-    static const char *commands [] = { "req", NULL };
-    enum command { C_REQ, C_DUMMY };
-    int cmd;
-
-    dprintf("Called");
-
-    if (objc < 2) {
-	Tcl_WrongNumArgs(interp, 1, objv, "subcommand ?args?");
-	return TCL_ERROR;
-    }
-    if (Tcl_GetIndexFromObj(interp, objv[1], commands,
-	    "command", 0,&cmd) != TCL_OK) {
-	return TCL_ERROR;
-    }
-
-    switch ((enum command) cmd) {
-	case C_REQ: {
-	    EVP_PKEY *pkey=NULL;
-	    X509 *cert=NULL;
-	    X509_NAME *name=NULL;
-	    Tcl_Obj **listv;
-	    Tcl_Size listc,i;
-
-	    BIO *out=NULL;
-
-	    const char *k_C="",*k_ST="",*k_L="",*k_O="",*k_OU="",*k_CN="",*k_Email="";
-	    char *keyout,*pemout,*str;
-	    int keysize,serial=0,days=365;
-
-	    if ((objc<5) || (objc>6)) {
-		Tcl_WrongNumArgs(interp, 2, objv, "keysize keyfile certfile ?info?");
-		return TCL_ERROR;
-	    }
-
-	    if (Tcl_GetIntFromObj(interp, objv[2], &keysize) != TCL_OK) {
-		return TCL_ERROR;
-	    }
-	    keyout=Tcl_GetString(objv[3]);
-	    pemout=Tcl_GetString(objv[4]);
-
-	    if (objc>=6) {
-		if (Tcl_ListObjGetElements(interp, objv[5],
-			&listc, &listv) != TCL_OK) {
-		    return TCL_ERROR;
-		}
-
-		if ((listc%2) != 0) {
-		    Tcl_SetResult(interp,"Information list must have even number of arguments",NULL);
-		    return TCL_ERROR;
-		}
-		for (i=0; i<listc; i+=2) {
-		    str=Tcl_GetString(listv[i]);
-		    if (strcmp(str,"days")==0) {
-			if (Tcl_GetIntFromObj(interp,listv[i+1],&days)!=TCL_OK)
-			    return TCL_ERROR;
-		    } else if (strcmp(str,"serial")==0) {
-			if (Tcl_GetIntFromObj(interp,listv[i+1],&serial)!=TCL_OK)
-			    return TCL_ERROR;
-		    } else if (strcmp(str,"serial")==0) {
-			if (Tcl_GetIntFromObj(interp,listv[i+1],&serial)!=TCL_OK)
-			    return TCL_ERROR;
-		    } else if (strcmp(str,"C")==0) {
-			k_C=Tcl_GetString(listv[i+1]);
-		    } else if (strcmp(str,"ST")==0) {
-			k_ST=Tcl_GetString(listv[i+1]);
-		    } else if (strcmp(str,"L")==0) {
-			k_L=Tcl_GetString(listv[i+1]);
-		    } else if (strcmp(str,"O")==0) {
-			k_O=Tcl_GetString(listv[i+1]);
-		    } else if (strcmp(str,"OU")==0) {
-			k_OU=Tcl_GetString(listv[i+1]);
-		    } else if (strcmp(str,"CN")==0) {
-			k_CN=Tcl_GetString(listv[i+1]);
-		    } else if (strcmp(str,"Email")==0) {
-			k_Email=Tcl_GetString(listv[i+1]);
-		    } else {
-			Tcl_SetResult(interp,"Unknown parameter",NULL);
-			return TCL_ERROR;
-		    }
-		}
-	    }
-	    if ((pkey = EVP_PKEY_new()) != NULL) {
-		if (!EVP_PKEY_assign_RSA(pkey,
-			RSA_generate_key(keysize, 0x10001, NULL, NULL))) {
-		    Tcl_SetResult(interp,"Error generating private key",NULL);
-		    EVP_PKEY_free(pkey);
-		    return TCL_ERROR;
-		}
-		out=BIO_new(BIO_s_file());
-		BIO_write_filename(out,keyout);
-		PEM_write_bio_PrivateKey(out,pkey,NULL,NULL,0,NULL,NULL);
-		BIO_free_all(out);
-
-		if ((cert=X509_new())==NULL) {
-		    Tcl_SetResult(interp,"Error generating certificate request",NULL);
-		    EVP_PKEY_free(pkey);
-		    return(TCL_ERROR);
-		}
-
-		X509_set_version(cert,2);
-		ASN1_INTEGER_set(X509_get_serialNumber(cert),serial);
-		X509_gmtime_adj(X509_get_notBefore(cert),0);
-		X509_gmtime_adj(X509_get_notAfter(cert),(long)60*60*24*days);
-		X509_set_pubkey(cert,pkey);
-
-		name=X509_get_subject_name(cert);
-
-		X509_NAME_add_entry_by_txt(name,"C", MBSTRING_ASC, (unsigned char *) k_C, -1, -1, 0);
-		X509_NAME_add_entry_by_txt(name,"ST", MBSTRING_ASC, (unsigned char *) k_ST, -1, -1, 0);
-		X509_NAME_add_entry_by_txt(name,"L", MBSTRING_ASC, (unsigned char *) k_L, -1, -1, 0);
-		X509_NAME_add_entry_by_txt(name,"O", MBSTRING_ASC, (unsigned char *) k_O, -1, -1, 0);
-		X509_NAME_add_entry_by_txt(name,"OU", MBSTRING_ASC, (unsigned char *) k_OU, -1, -1, 0);
-		X509_NAME_add_entry_by_txt(name,"CN", MBSTRING_ASC, (unsigned char *) k_CN, -1, -1, 0);
-		X509_NAME_add_entry_by_txt(name,"Email", MBSTRING_ASC, (unsigned char *) k_Email, -1, -1, 0);
-
-		X509_set_subject_name(cert,name);
-
-		if (!X509_sign(cert,pkey,EVP_md5())) {
-		    X509_free(cert);
-		    EVP_PKEY_free(pkey);
-		    Tcl_SetResult(interp,"Error signing certificate",NULL);
-		    return TCL_ERROR;
-		}
-
-		out=BIO_new(BIO_s_file());
-		BIO_write_filename(out,pemout);
-
-		PEM_write_bio_X509(out,cert);
-		BIO_free_all(out);
-
-		X509_free(cert);
-		EVP_PKEY_free(pkey);
-	    } else {
-		Tcl_SetResult(interp,"Error generating private key",NULL);
-		return TCL_ERROR;
-	    }
-	}
-	break;
-    default:
-	break;
-    }
-    return TCL_OK;
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * Tls_Free --
- *
- *	This procedure cleans up when a SSL socket based channel
- *	is closed and its reference count falls below 1
- *
- * Results:
- *	none
- *
- * Side effects:
- *	Frees all the state
- *
- *-------------------------------------------------------------------
- */
-void
-#if TCL_MAJOR_VERSION > 8
-Tls_Free( void *blockPtr )
-#else
-Tls_Free( char *blockPtr )
-#endif
-{
-    State *statePtr = (State *)blockPtr;
-
-    dprintf("Called");
-
-    Tls_Clean(statePtr);
-    ckfree(blockPtr);
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * Tls_Clean --
- *
- *	This procedure cleans up when a SSL socket based channel
- *	is closed and its reference count falls below 1.  This should
- *	be called synchronously by the CloseProc, not in the
- *	EventuallyFree callback.
- *
- * Results:
- *	none
- *
- * Side effects:
- *	Frees all the state
- *
- *-------------------------------------------------------------------
- */
-void Tls_Clean(State *statePtr) {
-    dprintf("Called");
-
-    /*
-     * we're assuming here that we're single-threaded
-     */
-    if (statePtr->timer != (Tcl_TimerToken) NULL) {
-	Tcl_DeleteTimerHandler(statePtr->timer);
-	statePtr->timer = NULL;
-    }
-
-    if (statePtr->bio) {
-	/* This will call SSL_shutdown. Bug 1414045 */
-	dprintf("BIO_free_all(%p)", statePtr->bio);
-	BIO_free_all(statePtr->bio);
-	statePtr->bio = NULL;
-    }
-    if (statePtr->ssl) {
-	dprintf("SSL_free(%p)", statePtr->ssl);
-	SSL_free(statePtr->ssl);
-	statePtr->ssl = NULL;
-    }
-    if (statePtr->ctx) {
-	SSL_CTX_free(statePtr->ctx);
-	statePtr->ctx = NULL;
-    }
-    if (statePtr->callback) {
-	Tcl_DecrRefCount(statePtr->callback);
-	statePtr->callback = NULL;
-    }
-    if (statePtr->password) {
-	Tcl_DecrRefCount(statePtr->password);
-	statePtr->password = NULL;
-    }
-
-    dprintf("Returning");
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * Tls_Init --
- *
- *	This is a package initialization procedure, which is called
- *	by Tcl when this package is to be added to an interpreter.
- *
- * Results:  Ssl configured and loaded
- *
- * Side effects:
- *	 create the ssl command, initialise ssl context
- *
- *-------------------------------------------------------------------
- */
-
-DLLEXPORT int Tls_Init(Tcl_Interp *interp) {
-	const char tlsTclInitScript[] = {
-#include "tls.tcl.h"
-            0x00
-	};
-
-        dprintf("Called");
-
-	/*
-	 * We only support Tcl 8.4 or newer
-	 */
-	if (
-#ifdef USE_TCL_STUBS
-	    Tcl_InitStubs(interp, "8.6-", 0)
-#else
-	    Tcl_PkgRequire(interp, "Tcl", "8.6-", 0)
-#endif
-	     == NULL) {
-		return TCL_ERROR;
-	}
-
-	if (TlsLibInit(0) != TCL_OK) {
-		Tcl_AppendResult(interp, "could not initialize SSL library", (char *)NULL);
-		return TCL_ERROR;
-	}
-
-	Tcl_CreateObjCommand(interp, "tls::ciphers", CiphersObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);
-	Tcl_CreateObjCommand(interp, "tls::handshake", HandshakeObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);
-	Tcl_CreateObjCommand(interp, "tls::import", ImportObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);
-	Tcl_CreateObjCommand(interp, "tls::unimport", UnimportObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);
-	Tcl_CreateObjCommand(interp, "tls::status", StatusObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);
-	Tcl_CreateObjCommand(interp, "tls::version", VersionObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);
-	Tcl_CreateObjCommand(interp, "tls::misc", MiscObjCmd, (ClientData) 0, (Tcl_CmdDeleteProc *) NULL);
-
-	if (interp) {
-		Tcl_Eval(interp, tlsTclInitScript);
-	}
-
-	return(Tcl_PkgProvide(interp, "tls", PACKAGE_VERSION));
-}
-
-/*
- *------------------------------------------------------*
- *
- *	Tls_SafeInit --
- *
- *	------------------------------------------------*
- *	Standard procedure required by 'load'.
- *	Initializes this extension for a safe interpreter.
- *	------------------------------------------------*
- *
- *	Sideeffects:
- *		As of 'Tls_Init'
- *
- *	Result:
- *		A standard Tcl error code.
- *
- *------------------------------------------------------*
- */
-
-DLLEXPORT int Tls_SafeInit(Tcl_Interp *interp) {
-	dprintf("Called");
-	return(Tls_Init(interp));
-}
-
-/*
- *------------------------------------------------------*
- *
- *	TlsLibInit --
- *
- *	------------------------------------------------*
- *	Initializes SSL library once per application
- *	------------------------------------------------*
- *
- *	Side effects:
- *		initilizes SSL library
- *
- *	Result:
- *		none
- *
- *------------------------------------------------------*
- */
-static int TlsLibInit(int uninitialize) {
-	static int initialized = 0;
-	int status = TCL_OK;
-#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
-	size_t num_locks;
-#endif
-
-	if (uninitialize) {
-		if (!initialized) {
-			dprintf("Asked to uninitialize, but we are not initialized");
-
-			return(TCL_OK);
-		}
-
-		dprintf("Asked to uninitialize");
-
-#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
-		Tcl_MutexLock(&init_mx);
-
-		CRYPTO_set_locking_callback(NULL);
-		CRYPTO_set_id_callback(NULL);
-
-		if (locks) {
-			free(locks);
-			locks = NULL;
-			locksCount = 0;
-		}
-#endif
-		initialized = 0;
-
-#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
-		Tcl_MutexUnlock(&init_mx);
-#endif
-
-		return(TCL_OK);
-	}
-
-	if (initialized) {
-		dprintf("Called, but using cached value");
-		return(status);
-	}
-
-	dprintf("Called");
-
-#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
-	Tcl_MutexLock(&init_mx);
-#endif
-	initialized = 1;
-
-#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
-	num_locks = CRYPTO_num_locks();
-	locksCount = num_locks;
-	locks = malloc(sizeof(*locks) * num_locks);
-	memset(locks, 0, sizeof(*locks) * num_locks);
-
-	CRYPTO_set_locking_callback(CryptoThreadLockCallback);
-	CRYPTO_set_id_callback(CryptoThreadIdCallback);
-#endif
-
-	if (SSL_library_init() != 1) {
-		status = TCL_ERROR;
-		goto done;
-	}
-
-	SSL_load_error_strings();
-	ERR_load_crypto_strings();
-
-	BIO_new_tcl(NULL, 0);
-
-#if 0
-	/*
-	 * XXX:TODO: Remove this code and replace it with a check
-	 * for enough entropy and do not try to create our own
-	 * terrible entropy
-	 */
-    /*
-     * Seed the random number generator in the SSL library,
-     * using the do/while construct because of the bug note in the
-     * OpenSSL FAQ at http://www.openssl.org/support/faq.html#USER1
-     *
-     * The crux of the problem is that Solaris 7 does not have a
-     * /dev/random or /dev/urandom device so it cannot gather enough
-     * entropy from the RAND_seed() when TLS initializes and refuses
-     * to go further. Earlier versions of OpenSSL carried on regardless.
-     */
-    srand((unsigned int) time((time_t *) NULL));
-    do {
-	for (i = 0; i < 16; i++) {
-	    rnd_seed[i] = 1 + (char) (255.0 * rand()/(RAND_MAX+1.0));
-	}
-	RAND_seed(rnd_seed, sizeof(rnd_seed));
-    } while (RAND_status() != 1);
-#endif
-
-done:
-#if defined(OPENSSL_THREADS) && defined(TCL_THREADS)
-	Tcl_MutexUnlock(&init_mx);
-#endif
-
-	return(status);
-}

DELETED tls.h
Index: tls.h
==================================================================
--- tls.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com>
- *
- * TLS (aka SSL) Channel - can be layered on any bi-directional
- * Tcl_Channel (Note: Requires Trf Core Patch)
- *
- * This was built from scratch based upon observation of OpenSSL 0.9.2B
- *
- * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for
- * providing the Tcl_ReplaceChannel mechanism and working closely with me
- * to enhance it to support full fileevent semantics.
- *
- * Also work done by the follow people provided the impetus to do this "right":-
- *	tclSSL (Colin McCormack, Shared Technology)
- *	SSLtcl (Peter Antman)
- *
- */
-#ifndef _TLS_H
-#define _TLS_H
-
-#include <tcl.h>
-
-/*
- * Initialization routines -- our entire public C API.
- */
-DLLEXPORT int Tls_Init(Tcl_Interp *interp);
-DLLEXPORT int Tls_SafeInit(Tcl_Interp *interp);
-
-#endif /* _TLS_H */

DELETED tlsBIO.c
Index: tlsBIO.c
==================================================================
--- tlsBIO.c
+++ /dev/null
@@ -1,323 +0,0 @@
-/*
- * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com>
- *
- * Provides BIO layer to interface openssl to Tcl.
- */
-
-#include "tlsInt.h"
-
-#ifdef TCLTLS_OPENSSL_PRE_1_1_API
-#define BIO_get_data(bio)                ((bio)->ptr)
-#define BIO_get_init(bio)                ((bio)->init)
-#define BIO_get_shutdown(bio)            ((bio)->shutdown)
-#define BIO_set_data(bio, val)           (bio)->ptr = (val)
-#define BIO_set_init(bio, val)           (bio)->init = (val)
-#define BIO_set_shutdown(bio, val)       (bio)->shutdown = (val)
-
-/* XXX: This assumes the variable being assigned to is BioMethods */
-#define BIO_meth_new(type_, name_)       (BIO_METHOD *)Tcl_Alloc(sizeof(BIO_METHOD)); \
-                                         memset(BioMethods, 0, sizeof(BIO_METHOD)); \
-                                         BioMethods->type = type_; \
-                                         BioMethods->name = name_;
-#define BIO_meth_set_write(bio, val)     (bio)->bwrite = val;
-#define BIO_meth_set_read(bio, val)      (bio)->bread = val;
-#define BIO_meth_set_puts(bio, val)      (bio)->bputs = val;
-#define BIO_meth_set_ctrl(bio, val)      (bio)->ctrl = val;
-#define BIO_meth_set_create(bio, val)    (bio)->create = val;
-#define BIO_meth_set_destroy(bio, val)   (bio)->destroy = val;
-#endif
-
-/*
- * Forward declarations
- */
-
-static int BioWrite (BIO *h, const char *buf, int num);
-static int BioRead  (BIO *h, char *buf, int num);
-static int BioPuts  (BIO *h, const char *str);
-static long BioCtrl (BIO *h, int cmd, long arg1, void *ptr);
-static int BioNew   (BIO *h);
-static int BioFree  (BIO *h);
-
-BIO *BIO_new_tcl(State *statePtr, int flags) {
-	BIO *bio;
-	static BIO_METHOD *BioMethods = NULL;
-#ifdef TCLTLS_SSL_USE_FASTPATH
-	Tcl_Channel parentChannel;
-	const Tcl_ChannelType *parentChannelType;
-	void *parentChannelFdIn_p, *parentChannelFdOut_p;
-	int parentChannelFdIn, parentChannelFdOut, parentChannelFd;
-	int validParentChannelFd;
-	int tclGetChannelHandleRet;
-#endif
-
-	dprintf("BIO_new_tcl() called");
-
-	if (BioMethods == NULL) {
-		BioMethods = BIO_meth_new(BIO_TYPE_TCL, "tcl");
-		BIO_meth_set_write(BioMethods, BioWrite);
-		BIO_meth_set_read(BioMethods, BioRead);
-		BIO_meth_set_puts(BioMethods, BioPuts);
-		BIO_meth_set_ctrl(BioMethods, BioCtrl);
-		BIO_meth_set_create(BioMethods, BioNew);
-		BIO_meth_set_destroy(BioMethods, BioFree);
-	}
-
-	if (statePtr == NULL) {
-		dprintf("Asked to setup a NULL state, just creating the initial configuration");
-
-		return(NULL);
-	}
-
-#ifdef TCLTLS_SSL_USE_FASTPATH
-	/*
-	 * If the channel can be mapped back to a file descriptor, just use the file descriptor
-	 * with the SSL library since it will likely be optimized for this.
-	 */
-	parentChannel = Tls_GetParent(statePtr, 0);
-	parentChannelType = Tcl_GetChannelType(parentChannel);
-
-	validParentChannelFd = 0;
-	if (strcmp(parentChannelType->typeName, "tcp") == 0) {
-		tclGetChannelHandleRet = Tcl_GetChannelHandle(parentChannel, TCL_READABLE, &parentChannelFdIn_p);
-		if (tclGetChannelHandleRet == TCL_OK) {
-			tclGetChannelHandleRet = Tcl_GetChannelHandle(parentChannel, TCL_WRITABLE, &parentChannelFdOut_p);
-			if (tclGetChannelHandleRet == TCL_OK) {
-				parentChannelFdIn = PTR2INT(parentChannelFdIn_p);
-				parentChannelFdOut = PTR2INT(parentChannelFdOut_p);
-				if (parentChannelFdIn == parentChannelFdOut) {
-					parentChannelFd = parentChannelFdIn;
-					validParentChannelFd = 1;
-				}
-			}
-		}
-	}
-
-	if (validParentChannelFd) {
-		dprintf("We found a shortcut, this channel is backed by a socket: %i", parentChannelFdIn);
-		bio = BIO_new_socket(parentChannelFd, flags);
-		statePtr->flags |= TLS_TCL_FASTPATH;
-		return(bio);
-	}
-
-	dprintf("Falling back to Tcl I/O for this channel");
-#endif
-
-	bio = BIO_new(BioMethods);
-	BIO_set_data(bio, statePtr);
-	BIO_set_shutdown(bio, flags);
-	BIO_set_init(bio, 1);
-
-	return(bio);
-}
-
-static int BioWrite(BIO *bio, const char *buf, int bufLen) {
-	Tcl_Channel chan;
-	int ret;
-	int tclEofChan, tclErrno;
-
-	chan = Tls_GetParent((State *) BIO_get_data(bio), 0);
-
-	dprintf("[chan=%p] BioWrite(%p, <buf>, %d)", (void *)chan, (void *) bio, bufLen);
-
-	ret = Tcl_WriteRaw(chan, buf, bufLen);
-
-	tclEofChan = Tcl_Eof(chan);
-	tclErrno = Tcl_GetErrno();
-
-	dprintf("[chan=%p] BioWrite(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, Tcl_GetErrno());
-
-	BIO_clear_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY);
-
-	if (tclEofChan && ret <= 0) {
-		dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF");
-		Tcl_SetErrno(ECONNRESET);
-		ret = 0;
-	} else if (ret == 0) {
-		dprintf("Got 0 from Tcl_WriteRaw, and EOF is not set; ret = 0");
-		dprintf("Setting retry read flag");
-		BIO_set_retry_read(bio);
-	} else if (ret < 0) {
-		dprintf("We got some kind of I/O error");
-
-		if (tclErrno == EAGAIN) {
-			dprintf("It's EAGAIN");
-		} else {
-			dprintf("It's an unepxected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno);
-		}
-	} else {
-		dprintf("Successfully wrote some data");
-	}
-
-	if (ret != -1 || (ret == -1 && tclErrno == EAGAIN)) {
-		if (BIO_should_read(bio)) {
-			dprintf("Setting should retry read flag");
-
-			BIO_set_retry_read(bio);
-		}
-	}
-
-	return(ret);
-}
-
-static int BioRead(BIO *bio, char *buf, int bufLen) {
-	Tcl_Channel chan;
-	int ret = 0;
-	int tclEofChan, tclErrno;
-
-	chan = Tls_GetParent((State *) BIO_get_data(bio), 0);
-
-	dprintf("[chan=%p] BioRead(%p, <buf>, %d)", (void *) chan, (void *) bio, bufLen);
-
-	if (buf == NULL) {
-		return 0;
-	}
-
-	ret = Tcl_ReadRaw(chan, buf, bufLen);
-
-	tclEofChan = Tcl_Eof(chan);
-	tclErrno = Tcl_GetErrno();
-
-	dprintf("[chan=%p] BioRead(%d) -> %d [tclEof=%d; tclErrno=%d]", (void *) chan, bufLen, ret, tclEofChan, tclErrno);
-
-	BIO_clear_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);
-
-	if (tclEofChan && ret <= 0) {
-		dprintf("Got EOF while reading, returning a Connection Reset error which maps to Soft EOF");
-		Tcl_SetErrno(ECONNRESET);
-		ret = 0;
-	} else if (ret == 0) {
-		dprintf("Got 0 from Tcl_Read or Tcl_ReadRaw, and EOF is not set; ret = 0");
-		dprintf("Setting retry read flag");
-		BIO_set_retry_read(bio);
-	} else if (ret < 0) {
-		dprintf("We got some kind of I/O error");
-
-		if (tclErrno == EAGAIN) {
-			dprintf("It's EAGAIN");
-		} else {
-			dprintf("It's an unepxected error: %s/%i", Tcl_ErrnoMsg(tclErrno), tclErrno);
-		}
-	} else {
-		dprintf("Successfully read some data");
-	}
-
-	if (ret != -1 || (ret == -1 && tclErrno == EAGAIN)) {
-		if (BIO_should_write(bio)) {
-			dprintf("Setting should retry write flag");
-
-			BIO_set_retry_write(bio);
-		}
-	}
-
-	dprintf("BioRead(%p, <buf>, %d) [%p] returning %i", (void *) bio, bufLen, (void *) chan, ret);
-
-	return(ret);
-}
-
-static int BioPuts(BIO *bio, const char *str) {
-	dprintf("BioPuts(%p, <string:%p>) called", bio, str);
-
-	return BioWrite(bio, str, (int) strlen(str));
-}
-
-static long BioCtrl(BIO *bio, int cmd, long num, void *ptr) {
-	Tcl_Channel chan;
-	long ret = 1;
-
-	chan = Tls_GetParent((State *) BIO_get_data(bio), 0);
-
-	dprintf("BioCtrl(%p, 0x%x, 0x%lx, %p)", bio, cmd, num, ptr);
-
-	switch (cmd) {
-		case BIO_CTRL_RESET:
-			dprintf("Got BIO_CTRL_RESET");
-			num = 0;
-			ret = 0;
-			break;
-		case BIO_C_FILE_SEEK:
-			dprintf("Got BIO_C_FILE_SEEK");
-			ret = 0;
-			break;
-		case BIO_C_FILE_TELL:
-			dprintf("Got BIO_C_FILE_TELL");
-			ret = 0;
-			break;
-		case BIO_CTRL_INFO:
-			dprintf("Got BIO_CTRL_INFO");
-			ret = 1;
-			break;
-		case BIO_C_SET_FD:
-			dprintf("Unsupported call: BIO_C_SET_FD");
-			ret = -1;
-			break;
-		case BIO_C_GET_FD:
-			dprintf("Unsupported call: BIO_C_GET_FD");
-			ret = -1;
-			break;
-		case BIO_CTRL_GET_CLOSE:
-			dprintf("Got BIO_CTRL_CLOSE");
-			ret = BIO_get_shutdown(bio);
-			break;
-		case BIO_CTRL_SET_CLOSE:
-			dprintf("Got BIO_SET_CLOSE");
-			BIO_set_shutdown(bio, num);
-			break;
-		case BIO_CTRL_EOF:
-			dprintf("Got BIO_CTRL_EOF");
-			ret = Tcl_Eof(chan);
-			break;
-		case BIO_CTRL_PENDING:
-			dprintf("Got BIO_CTRL_PENDING");
-			ret = ((chan) ? Tcl_InputBuffered(chan) : 0);
-			dprintf("BIO_CTRL_PENDING(%d)", (int) ret);
-			break;
-		case BIO_CTRL_WPENDING:
-			dprintf("Got BIO_CTRL_WPENDING");
-			ret = 0;
-			break;
-		case BIO_CTRL_DUP:
-			dprintf("Got BIO_CTRL_DUP");
-			break;
-		case BIO_CTRL_FLUSH:
-			dprintf("Got BIO_CTRL_FLUSH");
-			ret = ((Tcl_WriteRaw(chan, "", 0) >= 0) ? 1 : -1);
-			dprintf("BIO_CTRL_FLUSH returning value %li", ret);
-			break;
-		default:
-			dprintf("Got unknown control command (%i)", cmd);
-			ret = -2;
-			break;
-	}
-
-	return(ret);
-}
-
-static int BioNew(BIO *bio) {
-	dprintf("BioNew(%p) called", bio);
-
-	BIO_set_init(bio, 0);
-	BIO_set_data(bio, NULL);
-	BIO_clear_flags(bio, -1);
-
-	return(1);
-}
-
-static int BioFree(BIO *bio) {
-	if (bio == NULL) {
-		return(0);
-	}
-
-	dprintf("BioFree(%p) called", bio);
-
-	if (BIO_get_shutdown(bio)) {
-		if (BIO_get_init(bio)) {
-			/*shutdown(bio->num, 2) */
-			/*closesocket(bio->num) */
-		}
-
-		BIO_set_init(bio, 0);
-		BIO_clear_flags(bio, -1);
-	}
-
-	return(1);
-}

DELETED tlsIO.c
Index: tlsIO.c
==================================================================
--- tlsIO.c
+++ /dev/null
@@ -1,946 +0,0 @@
-/*
- * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com>
- * Copyright (C) 2000 Ajuba Solutions
- *
- * TLS (aka SSL) Channel - can be layered on any bi-directional
- * Tcl_Channel (Note: Requires Trf Core Patch)
- *
- * This was built from scratch based upon observation of OpenSSL 0.9.2B
- *
- * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for
- * providing the Tcl_ReplaceChannel mechanism and working closely with me
- * to enhance it to support full fileevent semantics.
- *
- * Also work done by the follow people provided the impetus to do this "right":
- *	tclSSL (Colin McCormack, Shared Technology)
- *	SSLtcl (Peter Antman)
- *
- */
-
-#include "tlsInt.h"
-
-/*
- * Forward declarations
- */
-static int  TlsBlockModeProc (void *instanceData, int mode);
-static int  TlsCloseProc (void *instanceData, Tcl_Interp *interp);
-static int  TlsClose2Proc (void *instanceData, Tcl_Interp *interp, int flags);
-static int  TlsInputProc (void *instanceData, char *buf, int bufSize, int *errorCodePtr);
-static int  TlsOutputProc (void *instanceData, const char *buf, int toWrite, int *errorCodePtr);
-static int  TlsGetOptionProc (void *instanceData, Tcl_Interp *interp, const char *optionName, Tcl_DString *dsPtr);
-static void TlsWatchProc (void *instanceData, int mask);
-static int  TlsGetHandleProc (void *instanceData, int direction, void **handlePtr);
-static int  TlsNotifyProc (void *instanceData, int mask);
-static void TlsChannelHandlerTimer (void *clientData);
-
-/*
- * TLS Channel Type
- */
-static const Tcl_ChannelType tlsChannelType = {
-  "tls",                             /* typeName                             */
-  TCL_CHANNEL_VERSION_5,             /* version                              */
-  TlsCloseProc,                      /* closeProc                            */
-  TlsInputProc,                      /* inputProc                            */
-  TlsOutputProc,                     /* outputProc                           */
-  0,                                 /* seekProc                             */
-  0,                                 /* setOptionProc                        */
-  TlsGetOptionProc,                  /* getOptionProc                        */
-  TlsWatchProc,                      /* watchProc                            */
-  TlsGetHandleProc,                  /* getHandleProc                        */
-  TlsClose2Proc,                     /* close2Proc                           */
-  TlsBlockModeProc,                  /* blockModeProc                        */
-  0,                                 /* flushProc                            */
-  TlsNotifyProc,                     /* handlerProc                          */
-  0,                                 /* wideSeekProc                         */
-  0,                                 /* threadActionProc                     */
-  0                                  /* truncateProc                         */
-};
-
-
-/*
- *-------------------------------------------------------------------
- *
- * Tls_ChannelType --
- *
- *	Return the correct TLS channel driver info
- *
- * Results:
- *	The correct channel driver for the current version of Tcl.
- *
- * Side effects:
- *	None.
- *
- *-------------------------------------------------------------------
- */
-const Tcl_ChannelType *Tls_ChannelType(void) {
-	return &tlsChannelType;
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * TlsBlockModeProc --
- *
- *	This procedure is invoked by the generic IO level
- *       to set blocking and nonblocking modes
- * Results:
- *	0 if successful, errno when failed.
- *
- * Side effects:
- *	Sets the device into blocking or nonblocking mode.
- *
- *-------------------------------------------------------------------
- */
-static int TlsBlockModeProc(void *instanceData, int mode) {
-	State *statePtr = (State *) instanceData;
-
-	if (mode == TCL_MODE_NONBLOCKING) {
-		statePtr->flags |= TLS_TCL_ASYNC;
-	} else {
-		statePtr->flags &= ~(TLS_TCL_ASYNC);
-	}
-
-	return(0);
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * TlsCloseProc --
- *
- *	This procedure is invoked by the generic IO level to perform
- *	channel-type-specific cleanup when a SSL socket based channel
- *	is closed.
- *
- *	Note: we leave the underlying socket alone, is this right?
- *
- * Results:
- *	0 if successful, the value of Tcl_GetErrno() if failed.
- *
- * Side effects:
- *	Closes the socket of the channel.
- *
- *-------------------------------------------------------------------
- */
-static int TlsCloseProc(void *instanceData, TCL_UNUSED(Tcl_Interp *)) {
-	State *statePtr = (State *) instanceData;
-
-	dprintf("TlsCloseProc(%p)", statePtr);
-
-	Tls_Clean(statePtr);
-	Tcl_EventuallyFree(statePtr, Tls_Free);
-
-	dprintf("Returning TCL_OK");
-
-	return(TCL_OK);
-}
-
-static int TlsClose2Proc(void *instanceData, Tcl_Interp *interp, int flags) {
-	if (!(flags&(TCL_CLOSE_READ|TCL_CLOSE_WRITE))) {
-	    return TlsCloseProc(instanceData, interp);
-	}
-	return EINVAL;
-}
-
-/*
- *------------------------------------------------------*
- *
- *	Tls_WaitForConnect --
- *
- *	Sideeffects:
- *		Issues SSL_accept or SSL_connect
- *
- *	Result:
- *		None.
- *
- *------------------------------------------------------*
- */
-int Tls_WaitForConnect(State *statePtr, int *errorCodePtr, int handshakeFailureIsPermanent) {
-	unsigned long backingError;
-	int err, rc;
-	int bioShouldRetry;
-
-	dprintf("WaitForConnect(%p)", statePtr);
-	dprintFlags(statePtr);
-
-	if (!(statePtr->flags & TLS_TCL_INIT)) {
-		dprintf("Tls_WaitForConnect called on already initialized channel -- returning with immediate success");
-		*errorCodePtr = 0;
-		return(0);
-	}
-
-	if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) {
-		/*
-		 * Different types of operations have different requirements
-		 * SSL being established
-		 */
-		if (handshakeFailureIsPermanent) {
-			dprintf("Asked to wait for a TLS handshake that has already failed.  Returning fatal error");
-			*errorCodePtr = ECONNABORTED;
-		} else {
-			dprintf("Asked to wait for a TLS handshake that has already failed.  Returning soft error");
-			*errorCodePtr = ECONNRESET;
-		}
-		return(-1);
-	}
-
-	for (;;) {
-		/* Not initialized yet! */
-		if (statePtr->flags & TLS_TCL_SERVER) {
-			dprintf("Calling SSL_accept()");
-
-			err = SSL_accept(statePtr->ssl);
-		} else {
-			dprintf("Calling SSL_connect()");
-
-			err = SSL_connect(statePtr->ssl);
-		}
-
-		if (err > 0) {
-			dprintf("That seems to have gone okay");
-
-			err = BIO_flush(statePtr->bio);
-
-			if (err <= 0) {
-				dprintf("Flushing the lower layers failed, this will probably terminate this session");
-			}
-		}
-
-		rc = SSL_get_error(statePtr->ssl, err);
-
-		dprintf("Got error: %i (rc = %i)", err, rc);
-
-		bioShouldRetry = 0;
-		if (err <= 0) {
-			if (rc == SSL_ERROR_WANT_CONNECT || rc == SSL_ERROR_WANT_ACCEPT || rc == SSL_ERROR_WANT_READ || rc == SSL_ERROR_WANT_WRITE) {
-				bioShouldRetry = 1;
-			} else if (BIO_should_retry(statePtr->bio)) {
-				bioShouldRetry = 1;
-			} else if (rc == SSL_ERROR_SYSCALL && Tcl_GetErrno() == EAGAIN) {
-				bioShouldRetry = 1;
-			}
-		} else {
-			if (!SSL_is_init_finished(statePtr->ssl)) {
-				bioShouldRetry = 1;
-			}
-		}
-
-		if (bioShouldRetry) {
-			dprintf("The I/O did not complete -- but we should try it again");
-
-			if (statePtr->flags & TLS_TCL_ASYNC) {
-				dprintf("Returning EAGAIN so that it can be retried later");
-
-				*errorCodePtr = EAGAIN;
-
-				return(-1);
-			} else {
-				dprintf("Doing so now");
-
-				continue;
-			}
-		}
-
-		dprintf("We have either completely established the session or completely failed it -- there is no more need to ever retry it though");
-		break;
-	}
-
-
-	*errorCodePtr = EINVAL;
-
-	switch (rc) {
-		case SSL_ERROR_NONE:
-			/* The connection is up, we are done here */
-			dprintf("The connection is up");
-			break;
-		case SSL_ERROR_ZERO_RETURN:
-			dprintf("SSL_ERROR_ZERO_RETURN: Connect returned an invalid value...")
-			return(-1);
-		case SSL_ERROR_SYSCALL:
-			backingError = ERR_get_error();
-
-			if (backingError == 0 && err == 0) {
-				dprintf("EOF reached")
-				*errorCodePtr = ECONNRESET;
-			} else if (backingError == 0 && err == -1) {
-				dprintf("I/O error occured (errno = %lu)", (unsigned long) Tcl_GetErrno());
-				*errorCodePtr = Tcl_GetErrno();
-				if (*errorCodePtr == ECONNRESET) {
-					*errorCodePtr = ECONNABORTED;
-				}
-			} else {
-				dprintf("I/O error occured (backingError = %lu)", backingError);
-				*errorCodePtr = backingError;
-				if (*errorCodePtr == ECONNRESET) {
-					*errorCodePtr = ECONNABORTED;
-				}
-			}
-
-			statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
-
-			return(-1);
-		case SSL_ERROR_SSL:
-			dprintf("Got permanent fatal SSL error, aborting immediately");
-			Tls_Error(statePtr, (char *)ERR_reason_error_string(ERR_get_error()));
-			statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
-			*errorCodePtr = ECONNABORTED;
-			return(-1);
-		case SSL_ERROR_WANT_CONNECT:
-		case SSL_ERROR_WANT_ACCEPT:
-		case SSL_ERROR_WANT_X509_LOOKUP:
-		default:
-			dprintf("We got a confusing reply: %i", rc);
-			*errorCodePtr = Tcl_GetErrno();
-			dprintf("ERR(%d, %d) ", rc, *errorCodePtr);
-			return(-1);
-	}
-
-#if 0
-	if (statePtr->flags & TLS_TCL_SERVER) {
-		dprintf("This is an TLS server, checking the certificate for the peer");
-
-		err = SSL_get_verify_result(statePtr->ssl);
-		if (err != X509_V_OK) {
-			dprintf("Invalid certificate, returning in failure");
-
-			Tls_Error(statePtr, (char *)X509_verify_cert_error_string(err));
-			statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
-			*errorCodePtr = ECONNABORTED;
-			return(-1);
-		}
-	}
-#endif
-
-	dprintf("Removing the \"TLS_TCL_INIT\" flag since we have completed the handshake");
-	statePtr->flags &= ~TLS_TCL_INIT;
-
-	dprintf("Returning in success");
-	*errorCodePtr = 0;
-
-	return(0);
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * TlsInputProc --
- *
- *	This procedure is invoked by the generic IO level
- *       to read input from a SSL socket based channel.
- *
- * Results:
- *	The number of bytes read is returned or -1 on error. An output
- *	argument contains the POSIX error code on error, or zero if no
- *	error occurred.
- *
- * Side effects:
- *	Reads input from the input device of the channel.
- *
- *-------------------------------------------------------------------
- */
-
-static int TlsInputProc(void *instanceData, char *buf, int bufSize, int *errorCodePtr) {
-	unsigned long backingError;
-	State *statePtr = (State *) instanceData;
-	int bytesRead;
-	int tlsConnect;
-	int err;
-
-	*errorCodePtr = 0;
-
-	dprintf("BIO_read(%d)", bufSize);
-
-	if (statePtr->flags & TLS_TCL_CALLBACK) {
-		/* don't process any bytes while verify callback is running */
-		dprintf("Callback is running, reading 0 bytes");
-		return(0);
-	}
-
-	dprintf("Calling Tls_WaitForConnect");
-	tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 0);
-	if (tlsConnect < 0) {
-		dprintf("Got an error waiting to connect (tlsConnect = %i, *errorCodePtr = %i)", tlsConnect, *errorCodePtr);
-
-		bytesRead = -1;
-		if (*errorCodePtr == ECONNRESET) {
-			dprintf("Got connection reset");
-			/* Soft EOF */
-			*errorCodePtr = 0;
-			bytesRead = 0;
-		}
-
-		return(bytesRead);
-	}
-
-	/*
-	 * We need to clear the SSL error stack now because we sometimes reach
-	 * this function with leftover errors in the stack.  If BIO_read
-	 * returns -1 and intends EAGAIN, there is a leftover error, it will be
-	 * misconstrued as an error, not EAGAIN.
-	 *
-	 * Alternatively, we may want to handle the <0 return codes from
-	 * BIO_read specially (as advised in the RSA docs).  TLS's lower level BIO
-	 * functions play with the retry flags though, and this seems to work
-	 * correctly.  Similar fix in TlsOutputProc. - hobbs
-	 */
-	ERR_clear_error();
-	bytesRead = BIO_read(statePtr->bio, buf, bufSize);
-	dprintf("BIO_read -> %d", bytesRead);
-
-	err = SSL_get_error(statePtr->ssl, bytesRead);
-
-#if 0
-	if (bytesRead <= 0) {
-		if (BIO_should_retry(statePtr->bio)) {
-			dprintf("I/O failed, will retry based on EAGAIN");
-			*errorCodePtr = EAGAIN;
-		}
-	}
-#endif
-
-	switch (err) {
-		case SSL_ERROR_NONE:
-			dprintBuffer(buf, bytesRead);
-			break;
-		case SSL_ERROR_SSL:
-			dprintf("SSL negotiation error, indicating that the connection has been aborted");
-
-			Tls_Error(statePtr, TCLTLS_SSL_ERROR(statePtr->ssl, bytesRead));
-			*errorCodePtr = ECONNABORTED;
-			bytesRead = -1;
-
-			break;
-		case SSL_ERROR_SYSCALL:
-			backingError = ERR_get_error();
-
-			if (backingError == 0 && bytesRead == 0) {
-				dprintf("EOF reached")
-				*errorCodePtr = 0;
-				bytesRead = 0;
-			} else if (backingError == 0 && bytesRead == -1) {
-				dprintf("I/O error occured (errno = %lu)", (unsigned long) Tcl_GetErrno());
-				*errorCodePtr = Tcl_GetErrno();
-				bytesRead = -1;
-			} else {
-				dprintf("I/O error occured (backingError = %lu)", backingError);
-				*errorCodePtr = backingError;
-				bytesRead = -1;
-			}
-
-			break;
-		case SSL_ERROR_ZERO_RETURN:
-			dprintf("Got SSL_ERROR_ZERO_RETURN, this means an EOF has been reached");
-			bytesRead = 0;
-			*errorCodePtr = 0;
-			break;
-		case SSL_ERROR_WANT_READ:
-			dprintf("Got SSL_ERROR_WANT_READ, mapping this to EAGAIN");
-			bytesRead = -1;
-			*errorCodePtr = EAGAIN;
-			break;
-		default:
-			dprintf("Unknown error (err = %i), mapping to EOF", err);
-			*errorCodePtr = 0;
-			bytesRead = 0;
-			break;
-	}
-
-	dprintf("Input(%d) -> %d [%d]", bufSize, bytesRead, *errorCodePtr);
-	return(bytesRead);
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * TlsOutputProc --
- *
- *	This procedure is invoked by the generic IO level
- *       to write output to a SSL socket based channel.
- *
- * Results:
- *	The number of bytes written is returned. An output argument is
- *	set to a POSIX error code if an error occurred, or zero.
- *
- * Side effects:
- *	Writes output on the output device of the channel.
- *
- *-------------------------------------------------------------------
- */
-
-static int TlsOutputProc(void *instanceData, const char *buf, int toWrite, int *errorCodePtr) {
-	unsigned long backingError;
-	State *statePtr = (State *) instanceData;
-	int written, err;
-	int tlsConnect;
-
-	*errorCodePtr = 0;
-
-	dprintf("BIO_write(%p, %d)", (void *) statePtr, toWrite);
-	dprintBuffer(buf, toWrite);
-
-	if (statePtr->flags & TLS_TCL_CALLBACK) {
-		dprintf("Don't process output while callbacks are running")
-		written = -1;
-		*errorCodePtr = EAGAIN;
-		return(-1);
-	}
-
-	dprintf("Calling Tls_WaitForConnect");
-	tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 1);
-	if (tlsConnect < 0) {
-		dprintf("Got an error waiting to connect (tlsConnect = %i, *errorCodePtr = %i)", tlsConnect, *errorCodePtr);
-
-		written = -1;
-		if (*errorCodePtr == ECONNRESET) {
-			dprintf("Got connection reset");
-			/* Soft EOF */
-			*errorCodePtr = 0;
-			written = 0;
-		}
-
-		return(written);
-	}
-
-	if (toWrite == 0) {
-		dprintf("zero-write");
-		err = BIO_flush(statePtr->bio);
-
-		if (err <= 0) {
-			dprintf("Flushing failed");
-
-			*errorCodePtr = EIO;
-			written = 0;
-			return(-1);
-		}
-
-		written = 0;
-		*errorCodePtr = 0;
-		return(0);
-	}
-
-	/*
-	 * We need to clear the SSL error stack now because we sometimes reach
-	 * this function with leftover errors in the stack.  If BIO_write
-	 * returns -1 and intends EAGAIN, there is a leftover error, it will be
-	 * misconstrued as an error, not EAGAIN.
-	 *
-	 * Alternatively, we may want to handle the <0 return codes from
-	 * BIO_write specially (as advised in the RSA docs).  TLS's lower level
-	 * BIO functions play with the retry flags though, and this seems to
-	 * work correctly.  Similar fix in TlsInputProc. - hobbs
-	 */
-	ERR_clear_error();
-	written = BIO_write(statePtr->bio, buf, toWrite);
-	dprintf("BIO_write(%p, %d) -> [%d]", (void *) statePtr, toWrite, written);
-
-	err = SSL_get_error(statePtr->ssl, written);
-	switch (err) {
-		case SSL_ERROR_NONE:
-			if (written < 0) {
-				written = 0;
-			}
-			break;
-		case SSL_ERROR_WANT_WRITE:
-			dprintf("Got SSL_ERROR_WANT_WRITE, mapping it to EAGAIN");
-			*errorCodePtr = EAGAIN;
-			written = -1;
-			break;
-		case SSL_ERROR_WANT_READ:
-			dprintf(" write R BLOCK");
-			break;
-		case SSL_ERROR_WANT_X509_LOOKUP:
-			dprintf(" write X BLOCK");
-			break;
-		case SSL_ERROR_ZERO_RETURN:
-			dprintf(" closed");
-			written = 0;
-			*errorCodePtr = 0;
-			break;
-		case SSL_ERROR_SYSCALL:
-			backingError = ERR_get_error();
-
-			if (backingError == 0 && written == 0) {
-				dprintf("EOF reached")
-				*errorCodePtr = 0;
-				written = 0;
-			} else if (backingError == 0 && written == -1) {
-				dprintf("I/O error occured (errno = %lu)", (unsigned long) Tcl_GetErrno());
-				*errorCodePtr = Tcl_GetErrno();
-				written = -1;
-			} else {
-				dprintf("I/O error occured (backingError = %lu)", backingError);
-				*errorCodePtr = backingError;
-				written = -1;
-			}
-
-			break;
-		case SSL_ERROR_SSL:
-			Tls_Error(statePtr, TCLTLS_SSL_ERROR(statePtr->ssl, written));
-			*errorCodePtr = ECONNABORTED;
-			written = -1;
-			break;
-		default:
-			dprintf(" unknown err: %d", err);
-			break;
-	}
-
-	dprintf("Output(%d) -> %d", toWrite, written);
-	return(written);
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * TlsGetOptionProc --
- *
- *	Computes an option value for a SSL socket based channel, or a
- *	list of all options and their values.
- *
- * Results:
- *	A standard Tcl result. The value of the specified option or a
- *	list of all options and	their values is returned in the
- *	supplied DString.
- *
- * Side effects:
- *	None.
- *
- *-------------------------------------------------------------------
- */
-static int
-TlsGetOptionProc(void *instanceData,	/* Socket state. */
-	Tcl_Interp *interp,		/* For errors - can be NULL. */
-	const char *optionName,		/* Name of the option to
-					 * retrieve the value for, or
-					 * NULL to get all options and
-					 * their values. */
-	Tcl_DString *dsPtr)		/* Where to store the computed value
-					 * initialized by caller. */
-{
-    State *statePtr = (State *) instanceData;
-
-   Tcl_Channel downChan = Tls_GetParent(statePtr, TLS_TCL_FASTPATH);
-   Tcl_DriverGetOptionProc *getOptionProc;
-
-    getOptionProc = Tcl_ChannelGetOptionProc(Tcl_GetChannelType(downChan));
-    if (getOptionProc != NULL) {
-        return (*getOptionProc)(Tcl_GetChannelInstanceData(downChan), interp, optionName, dsPtr);
-    } else if (optionName == (char*) NULL) {
-        /*
-         * Request is query for all options, this is ok.
-         */
-         return TCL_OK;
-    }
-    /*
-     * Request for a specific option has to fail, we don't have any.
-     */
-    return TCL_ERROR;
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * TlsWatchProc --
- *
- *	Initialize the notifier to watch Tcl_Files from this channel.
- *
- * Results:
- *	None.
- *
- * Side effects:
- *	Sets up the notifier so that a future event on the channel
- *	will be seen by Tcl.
- *
- *-------------------------------------------------------------------
- */
-
-static void
-TlsWatchProc(void *instanceData,	/* The socket state. */
-             int mask)			/* Events of interest; an OR-ed
-                                         * combination of TCL_READABLE,
-                                         * TCL_WRITABLE and TCL_EXCEPTION. */
-{
-    Tcl_Channel     downChan;
-    State *statePtr = (State *) instanceData;
-
-    dprintf("TlsWatchProc(0x%x)", mask);
-
-    /* Pretend to be dead as long as the verify callback is running.
-     * Otherwise that callback could be invoked recursively. */
-    if (statePtr->flags & TLS_TCL_CALLBACK) {
-        dprintf("Callback is on-going, doing nothing");
-        return;
-    }
-
-    dprintFlags(statePtr);
-
-    downChan = Tls_GetParent(statePtr, TLS_TCL_FASTPATH);
-
-    if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) {
-        dprintf("Asked to watch a socket with a failed handshake -- nothing can happen here");
-
-	dprintf("Unregistering interest in the lower channel");
-	(Tcl_GetChannelType(downChan))->watchProc(Tcl_GetChannelInstanceData(downChan), 0);
-
-	statePtr->watchMask = 0;
-
-        return;
-    }
-
-	statePtr->watchMask = mask;
-
-	/* No channel handlers any more. We will be notified automatically
-	 * about events on the channel below via a call to our
-	 * 'TransformNotifyProc'. But we have to pass the interest down now.
-	 * We are allowed to add additional 'interest' to the mask if we want
-	 * to. But this transformation has no such interest. It just passes
-	 * the request down, unchanged.
-	 */
-
-
-        dprintf("Registering our interest in the lower channel (chan=%p)", (void *) downChan);
-	(Tcl_GetChannelType(downChan))
-	    ->watchProc(Tcl_GetChannelInstanceData(downChan), mask);
-
-	/*
-	 * Management of the internal timer.
-	 */
-
-	if (statePtr->timer != (Tcl_TimerToken) NULL) {
-            dprintf("A timer was found, deleting it");
-	    Tcl_DeleteTimerHandler(statePtr->timer);
-	    statePtr->timer = (Tcl_TimerToken) NULL;
-	}
-
-	if (mask & TCL_READABLE) {
-		if (Tcl_InputBuffered(statePtr->self) > 0 || BIO_ctrl_pending(statePtr->bio) > 0) {
-			/*
-			 * There is interest in readable events and we actually have
-			 * data waiting, so generate a timer to flush that.
-			 */
-			dprintf("Creating a new timer since data appears to be waiting");
-			statePtr->timer = Tcl_CreateTimerHandler(TLS_TCL_DELAY, TlsChannelHandlerTimer, statePtr);
-		}
-	}
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * TlsGetHandleProc --
- *
- *	Called from Tcl_GetChannelFile to retrieve o/s file handler
- *	from the SSL socket based channel.
- *
- * Results:
- *	The appropriate Tcl_File or NULL if not present.
- *
- * Side effects:
- *	None.
- *
- *-------------------------------------------------------------------
- */
-static int TlsGetHandleProc(void *instanceData, int direction, void **handlePtr) {
-	State *statePtr = (State *) instanceData;
-
-	return(Tcl_GetChannelHandle(Tls_GetParent(statePtr, TLS_TCL_FASTPATH), direction, handlePtr));
-}
-
-/*
- *-------------------------------------------------------------------
- *
- * TlsNotifyProc --
- *
- *	Handler called by Tcl to inform us of activity
- *	on the underlying channel.
- *
- * Results:
- *	None.
- *
- * Side effects:
- *	May process the incoming event by itself.
- *
- *-------------------------------------------------------------------
- */
-
-static int TlsNotifyProc(void *instanceData, int mask) {
-	State *statePtr = (State *) instanceData;
-	int errorCode;
-
-	/*
-	 * An event occured in the underlying channel.  This
-	 * transformation doesn't process such events thus returns the
-	 * incoming mask unchanged.
-	 */
-	if (statePtr->timer != (Tcl_TimerToken) NULL) {
-		/*
-		 * Delete an existing timer. It was not fired, yet we are
-		 * here, so the channel below generated such an event and we
-		 * don't have to. The renewal of the interest after the
-		 * execution of channel handlers will eventually cause us to
-		 * recreate the timer (in WatchProc).
-		 */
-		Tcl_DeleteTimerHandler(statePtr->timer);
-		statePtr->timer = (Tcl_TimerToken) NULL;
-	}
-
-	if (statePtr->flags & TLS_TCL_CALLBACK) {
-		dprintf("Returning 0 due to callback");
-		return 0;
-	}
-
-	dprintf("Calling Tls_WaitForConnect");
-	errorCode = 0;
-	if (Tls_WaitForConnect(statePtr, &errorCode, 1) < 0) {
-		if (errorCode == EAGAIN) {
-			dprintf("Async flag could be set (didn't check) and errorCode == EAGAIN:  Returning 0");
-
-			return 0;
-		}
-
-		dprintf("Tls_WaitForConnect returned an error");
-	}
-
-	dprintf("Returning %i", mask);
-
-	return(mask);
-}
-
-#if 0
-/*
- *------------------------------------------------------*
- *
- *      TlsChannelHandler --
- *
- *      ------------------------------------------------*
- *      Handler called by Tcl as a result of
- *      Tcl_CreateChannelHandler - to inform us of activity
- *      on the underlying channel.
- *      ------------------------------------------------*
- *
- *      Sideeffects:
- *              May generate subsequent calls to
- *              Tcl_NotifyChannel.
- *
- *      Result:
- *              None.
- *
- *------------------------------------------------------*
- */
-
-static void
-TlsChannelHandler (clientData, mask)
-    void *    clientData;
-    int            mask;
-{
-    State *statePtr = (State *) clientData;
-
-    dprintf("HANDLER(0x%x)", mask);
-    Tcl_Preserve(statePtr);
-
-    if (mask & TCL_READABLE) {
-	BIO_set_flags(statePtr->p_bio, BIO_FLAGS_READ);
-    } else {
-	BIO_clear_flags(statePtr->p_bio, BIO_FLAGS_READ);
-    }
-
-    if (mask & TCL_WRITABLE) {
-	BIO_set_flags(statePtr->p_bio, BIO_FLAGS_WRITE);
-    } else {
-	BIO_clear_flags(statePtr->p_bio, BIO_FLAGS_WRITE);
-    }
-
-    mask = 0;
-    if (BIO_wpending(statePtr->bio)) {
-	mask |= TCL_WRITABLE;
-    }
-    if (BIO_pending(statePtr->bio)) {
-	mask |= TCL_READABLE;
-    }
-
-    /*
-     * The following NotifyChannel calls seems to be important, but
-     * we don't know why.  It looks like if the mask is ever non-zero
-     * that it will enter an infinite loop.
-     *
-     * Notify the upper channel of the current BIO state so the event
-     * continues to propagate up the chain.
-     *
-     * stanton: It looks like this could result in an infinite loop if
-     * the upper channel doesn't cause ChannelHandler to be removed
-     * before Tcl_NotifyChannel calls channel handlers on the lower channel.
-     */
-
-    Tcl_NotifyChannel(statePtr->self, mask);
-
-    if (statePtr->timer != (Tcl_TimerToken)NULL) {
-	Tcl_DeleteTimerHandler(statePtr->timer);
-	statePtr->timer = (Tcl_TimerToken)NULL;
-    }
-    if ((mask & TCL_READABLE) && Tcl_InputBuffered(statePtr->self) > 0) {
-	/*
-	 * Data is waiting, flush it out in short time
-	 */
-	statePtr->timer = Tcl_CreateTimerHandler(TLS_TCL_DELAY,
-		TlsChannelHandlerTimer, statePtr);
-    }
-    Tcl_Release(statePtr);
-}
-#endif
-
-/*
- *------------------------------------------------------*
- *
- *	TlsChannelHandlerTimer --
- *
- *	------------------------------------------------*
- *	Called by the notifier (-> timer) to flush out
- *	information waiting in channel buffers.
- *	------------------------------------------------*
- *
- *	Sideeffects:
- *		As of 'TlsChannelHandler'.
- *
- *	Result:
- *		None.
- *
- *------------------------------------------------------*
- */
-
-static void TlsChannelHandlerTimer(void *clientData) {
-	State *statePtr = (State *) clientData;
-	int mask = 0;
-
-	dprintf("Called");
-
-	statePtr->timer = (Tcl_TimerToken) NULL;
-
-	if (BIO_wpending(statePtr->bio)) {
-		dprintf("[chan=%p] BIO writable", statePtr->self);
-
-		mask |= TCL_WRITABLE;
-	}
-
-	if (BIO_pending(statePtr->bio)) {
-		dprintf("[chan=%p] BIO readable", statePtr->self);
-
-		mask |= TCL_READABLE;
-	}
-
-	dprintf("Notifying ourselves");
-	Tcl_NotifyChannel(statePtr->self, mask);
-
-	dprintf("Returning");
-
-	return;
-}
-
-Tcl_Channel Tls_GetParent(State *statePtr, int maskFlags) {
-	dprintf("Requested to get parent of channel %p", statePtr->self);
-
-	if ((statePtr->flags & ~maskFlags) & TLS_TCL_FASTPATH) {
-		dprintf("Asked to get the parent channel while we are using FastPath -- returning NULL");
-		return(NULL);
-	}
-
-	return(Tcl_GetStackedChannel(statePtr->self));
-}

DELETED tlsInt.h
Index: tlsInt.h
==================================================================
--- tlsInt.h
+++ /dev/null
@@ -1,198 +0,0 @@
-/*
- * Copyright (C) 1997-2000 Matt Newman <matt@novadigm.com>
- *
- * TLS (aka SSL) Channel - can be layered on any bi-directional
- * Tcl_Channel (Note: Requires Trf Core Patch)
- *
- * This was built from scratch based upon observation of OpenSSL 0.9.2B
- *
- * Addition credit is due for Andreas Kupries (a.kupries@westend.com), for
- * providing the Tcl_ReplaceChannel mechanism and working closely with me
- * to enhance it to support full fileevent semantics.
- *
- * Also work done by the follow people provided the impetus to do this "right":-
- *	tclSSL (Colin McCormack, Shared Technology)
- *	SSLtcl (Peter Antman)
- *
- */
-#ifndef _TLSINT_H
-#define _TLSINT_H
-
-#include "tls.h"
-#include <errno.h>
-#include <string.h>
-#include <stdint.h>
-
-#ifdef __WIN32__
-#define WIN32_LEAN_AND_MEAN
-#include <windows.h>
-#include <wincrypt.h> /* OpenSSL needs this on Windows */
-#endif
-
-#ifdef NO_PATENTS
-#  define NO_IDEA
-#  define NO_RC2
-#  define NO_RC4
-#  define NO_RC5
-#  define NO_RSA
-#  ifndef NO_SSL2
-#    define NO_SSL2
-#  endif
-#endif
-
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#include <openssl/rand.h>
-#include <openssl/opensslv.h>
-
-/*
- * Determine if we should use the pre-OpenSSL 1.1.0 API
- */
-#undef TCLTLS_OPENSSL_PRE_1_1
-#if (defined(LIBRESSL_VERSION_NUMBER)) || OPENSSL_VERSION_NUMBER < 0x10100000L
-#  define TCLTLS_OPENSSL_PRE_1_1_API 1
-#endif
-
-#ifndef ECONNABORTED
-#define ECONNABORTED	130	/* Software caused connection abort */
-#endif
-#ifndef ECONNRESET
-#define ECONNRESET	131	/* Connection reset by peer */
-#endif
-
-#ifdef TCLEXT_TCLTLS_DEBUG
-#include <ctype.h>
-#define dprintf(...) { \
-                       char dprintfBuffer[8192], *dprintfBuffer_p; \
-                       dprintfBuffer_p = &dprintfBuffer[0]; \
-                       dprintfBuffer_p += sprintf(dprintfBuffer_p, "%s:%i:%s():", __FILE__, __LINE__, __func__); \
-                       dprintfBuffer_p += sprintf(dprintfBuffer_p, __VA_ARGS__); \
-                       fprintf(stderr, "%s\n", dprintfBuffer); \
-                     }
-#define dprintBuffer(bufferName, bufferLength) { \
-                                                 int dprintBufferIdx; \
-                                                 unsigned char dprintBufferChar; \
-                                                 fprintf(stderr, "%s:%i:%s():%s[%llu]={", __FILE__, __LINE__, __func__, #bufferName, (unsigned long long) bufferLength); \
-                                                 for (dprintBufferIdx = 0; dprintBufferIdx < bufferLength; dprintBufferIdx++) { \
-                                                         dprintBufferChar = bufferName[dprintBufferIdx]; \
-                                                         if (isalpha(dprintBufferChar) || isdigit(dprintBufferChar)) { \
-                                                                 fprintf(stderr, "'%c' ", dprintBufferChar); \
-                                                         } else { \
-                                                                 fprintf(stderr, "%02x ", (unsigned int) dprintBufferChar); \
-                                                         }; \
-                                                 }; \
-                                                 fprintf(stderr, "}\n"); \
-                                               }
-#define dprintFlags(statePtr) { \
-                                char dprintfBuffer[8192], *dprintfBuffer_p; \
-                                dprintfBuffer_p = &dprintfBuffer[0]; \
-                                dprintfBuffer_p += sprintf(dprintfBuffer_p, "%s:%i:%s():%s->flags=0", __FILE__, __LINE__, __func__, #statePtr); \
-                                if (((statePtr)->flags & TLS_TCL_ASYNC) == TLS_TCL_ASYNC) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_ASYNC"); }; \
-                                if (((statePtr)->flags & TLS_TCL_SERVER) == TLS_TCL_SERVER) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_SERVER"); }; \
-                                if (((statePtr)->flags & TLS_TCL_INIT) == TLS_TCL_INIT) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_INIT"); }; \
-                                if (((statePtr)->flags & TLS_TCL_DEBUG) == TLS_TCL_DEBUG) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_DEBUG"); }; \
-                                if (((statePtr)->flags & TLS_TCL_CALLBACK) == TLS_TCL_CALLBACK) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_CALLBACK"); }; \
-                                if (((statePtr)->flags & TLS_TCL_HANDSHAKE_FAILED) == TLS_TCL_HANDSHAKE_FAILED) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_HANDSHAKE_FAILED"); }; \
-                                if (((statePtr)->flags & TLS_TCL_FASTPATH) == TLS_TCL_FASTPATH) { dprintfBuffer_p += sprintf(dprintfBuffer_p, "|TLS_TCL_FASTPATH"); }; \
-                                fprintf(stderr, "%s\n", dprintfBuffer); \
-                              }
-#else
-#define dprintf(...) if (0) { fprintf(stderr, __VA_ARGS__); }
-#define dprintBuffer(bufferName, bufferLength) /**/
-#define dprintFlags(statePtr) /**/
-#endif
-
-#define TCLTLS_SSL_ERROR(ssl,err) ((char*)ERR_reason_error_string((unsigned long)SSL_get_error((ssl),(err))))
-/*
- * OpenSSL BIO Routines
- */
-#define BIO_TYPE_TCL	(19|0x0400)
-
-/*
- * Defines for State.flags
- */
-#define TLS_TCL_ASYNC	(1<<0)	/* non-blocking mode */
-#define TLS_TCL_SERVER	(1<<1)	/* Server-Side */
-#define TLS_TCL_INIT	(1<<2)	/* Initializing connection */
-#define TLS_TCL_DEBUG	(1<<3)	/* Show debug tracing */
-#define TLS_TCL_CALLBACK	(1<<4)	/* In a callback, prevent update
-					 * looping problem. [Bug 1652380] */
-#define TLS_TCL_HANDSHAKE_FAILED (1<<5) /* Set on handshake failures and once
-                                         * set, all further I/O will result
-                                         * in ECONNABORTED errors. */
-#define TLS_TCL_FASTPATH (1<<6)         /* The parent channel is being used directly by the SSL library */
-#define TLS_TCL_DELAY (5)
-
-/*
- * This structure describes the per-instance state
- * of an ssl channel.
- *
- * The SSL processing context is maintained here, in the ClientData
- */
-typedef struct State {
-	Tcl_Channel self;       /* this socket channel */
-	Tcl_TimerToken timer;
-
-	int flags;              /* see State.flags above  */
-	int watchMask;          /* current WatchProc mask */
-	int mode;               /* current mode of parent channel */
-
-	Tcl_Interp *interp;     /* interpreter in which this resides */
-	Tcl_Obj *callback;      /* script called for tracing, verifying and errors */
-	Tcl_Obj *password;      /* script called for certificate password */
-
-	int vflags;             /* verify flags */
-	SSL *ssl;               /* Struct for SSL processing */
-	SSL_CTX *ctx;           /* SSL Context */
-	BIO *bio;               /* Struct for SSL processing */
-	BIO *p_bio;             /* Parent BIO (that is layered on Tcl_Channel) */
-
-	const char *err;
-} State;
-
-#ifdef USE_TCL_STUBS
-#ifndef Tcl_StackChannel
-#error "Unable to compile on this version of Tcl"
-#endif /* Tcl_GetStackedChannel */
-#endif /* USE_TCL_STUBS */
-
-#ifndef JOIN
-#  define JOIN(a,b) JOIN1(a,b)
-#  define JOIN1(a,b) a##b
-#endif
-
-#ifndef TCL_UNUSED
-# if defined(__cplusplus)
-#   define TCL_UNUSED(T) T
-# elif defined(__GNUC__) && (__GNUC__ > 2)
-#   define TCL_UNUSED(T) T JOIN(dummy, __LINE__) __attribute__((unused))
-# else
-#   define TCL_UNUSED(T) T JOIN(dummy, __LINE__)
-# endif
-#endif
-
-#if (TCL_MAJOR_VERSION < 9) && defined(TCL_MINOR_VERSION) && (TCL_MINOR_VERSION < 7) && !defined(Tcl_Size)
-#   define Tcl_Size int
-#endif
-
-/*
- * Forward declarations
- */
-const Tcl_ChannelType *Tls_ChannelType(void);
-Tcl_Channel     Tls_GetParent(State *statePtr, int maskFlags);
-
-Tcl_Obj         *Tls_NewX509Obj(Tcl_Interp *interp, X509 *cert);
-void            Tls_Error(State *statePtr, char *msg);
-#if TCL_MAJOR_VERSION > 8
-void            Tls_Free(void *blockPtr);
-#else
-void            Tls_Free(char *blockPtr);
-#endif
-void            Tls_Clean(State *statePtr);
-int             Tls_WaitForConnect(State *statePtr, int *errorCodePtr, int handshakeFailureIsPermanent);
-
-BIO             *BIO_new_tcl(State* statePtr, int flags);
-
-#define PTR2INT(x) ((int) ((intptr_t) (x)))
-
-#endif /* _TLSINT_H */

DELETED tlsX509.c
Index: tlsX509.c
==================================================================
--- tlsX509.c
+++ /dev/null
@@ -1,209 +0,0 @@
-/*
- * Copyright (C) 1997-2000 Sensus Consulting Ltd.
- * Matt Newman <matt@sensus.org>
- */
-#include "tlsInt.h"
-
-/*
- *  Ensure these are not macros - known to be defined on Win32
- */
-#ifdef min
-#undef min
-#endif
-
-#ifdef max
-#undef max
-#endif
-
-static int min(int a, int b)
-{
-    return (a < b) ? a : b;
-}
-
-static int max(int a, int b)
-{
-    return (a > b) ? a : b;
-}
-
-/*
- * ASN1_UTCTIME_tostr --
- */
-static char *
-ASN1_UTCTIME_tostr(ASN1_UTCTIME *tm)
-{
-    static char bp[128];
-    char *v;
-    int gmt=0;
-    static char *mon[12]={
-        "Jan","Feb","Mar","Apr","May","Jun",
-        "Jul","Aug","Sep","Oct","Nov","Dec"};
-    int i;
-    int y=0,M=0,d=0,h=0,m=0,s=0;
-
-    i=tm->length;
-    v=(char *)tm->data;
-
-    if (i < 10) goto err;
-    if (v[i-1] == 'Z') gmt=1;
-    for (i=0; i<10; i++)
-        if ((v[i] > '9') || (v[i] < '0')) goto err;
-    y= (v[0]-'0')*10+(v[1]-'0');
-    if (y < 70) y+=100;
-    M= (v[2]-'0')*10+(v[3]-'0');
-    if ((M > 12) || (M < 1)) goto err;
-    d= (v[4]-'0')*10+(v[5]-'0');
-    h= (v[6]-'0')*10+(v[7]-'0');
-    m=  (v[8]-'0')*10+(v[9]-'0');
-    if (	(v[10] >= '0') && (v[10] <= '9') &&
-		(v[11] >= '0') && (v[11] <= '9'))
-        s=  (v[10]-'0')*10+(v[11]-'0');
-
-    sprintf(bp,"%s %2d %02d:%02d:%02d %d%s",
-                   mon[M-1],d,h,m,s,y+1900,(gmt)?" GMT":"");
-    return bp;
- err:
-    return "Bad time value";
-}
-
-/*
- *------------------------------------------------------*
- *
- *	Tls_NewX509Obj --
- *
- *	------------------------------------------------*
- *	Converts a X509 certificate into a Tcl_Obj
- *	------------------------------------------------*
- *
- *	Sideeffects:
- *		None
- *
- *	Result:
- *		A Tcl List Object representing the provided
- *		X509 certificate.
- *
- *------------------------------------------------------*
- */
-
-#define CERT_STR_SIZE 16384
-
-Tcl_Obj*
-Tls_NewX509Obj( interp, cert)
-    Tcl_Interp *interp;
-    X509 *cert;
-{
-    Tcl_Obj *certPtr = Tcl_NewListObj( 0, NULL);
-    BIO *bio;
-    int n;
-    unsigned long flags;
-    char subject[BUFSIZ];
-    char issuer[BUFSIZ];
-    char serial[BUFSIZ];
-    char notBefore[BUFSIZ];
-    char notAfter[BUFSIZ];
-    char certStr[CERT_STR_SIZE], *certStr_p;
-    int certStr_len, toRead;
-#ifndef NO_SSL_SHA
-    int shai;
-    char sha_hash_ascii[SHA_DIGEST_LENGTH * 2 + 1];
-    unsigned char sha_hash_binary[SHA_DIGEST_LENGTH];
-    const char *shachars="0123456789ABCDEF";
-
-    sha_hash_ascii[SHA_DIGEST_LENGTH * 2] = '\0';
-#endif
-
-    certStr[0] = 0;
-    if ((bio = BIO_new(BIO_s_mem())) == NULL) {
-	subject[0] = 0;
-	issuer[0]  = 0;
-	serial[0]  = 0;
-    } else {
-	flags = XN_FLAG_RFC2253 | ASN1_STRFLGS_UTF8_CONVERT;
-	flags &= ~ASN1_STRFLGS_ESC_MSB;
-
-	X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, flags);
-	n = BIO_read(bio, subject, min(BIO_pending(bio), BUFSIZ - 1));
-	n = max(n, 0);
-	subject[n] = 0;
-	(void)BIO_flush(bio);
-
-	X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0, flags);
-	n = BIO_read(bio, issuer, min(BIO_pending(bio), BUFSIZ - 1));
-	n = max(n, 0);
-	issuer[n] = 0;
-	(void)BIO_flush(bio);
-
-	i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert));
-	n = BIO_read(bio, serial, min(BIO_pending(bio), BUFSIZ - 1));
-	n = max(n, 0);
-	serial[n] = 0;
-	(void)BIO_flush(bio);
-
-        if (PEM_write_bio_X509(bio, cert)) {
-            certStr_p = certStr;
-            certStr_len = 0;
-            while (1) {
-                toRead = min(BIO_pending(bio), CERT_STR_SIZE - certStr_len - 1);
-                toRead = min(toRead, BUFSIZ);
-                if (toRead == 0) {
-                    break;
-                }
-                dprintf("Reading %i bytes from the certificate...", toRead);
-                n = BIO_read(bio, certStr_p, toRead);
-                if (n <= 0) {
-                    break;
-                }
-                certStr_len += n;
-                certStr_p   += n;
-            }
-            *certStr_p = '\0';
-            (void)BIO_flush(bio);
-        }
-
-	BIO_free(bio);
-    }
-
-    strcpy( notBefore, ASN1_UTCTIME_tostr( X509_get_notBefore(cert) ));
-    strcpy( notAfter, ASN1_UTCTIME_tostr( X509_get_notAfter(cert) ));
-
-#ifndef NO_SSL_SHA
-    X509_digest(cert, EVP_sha1(), sha_hash_binary, NULL);
-    for (shai = 0; shai < SHA_DIGEST_LENGTH; shai++) {
-        sha_hash_ascii[shai * 2]     = shachars[(sha_hash_binary[shai] & 0xF0) >> 4];
-        sha_hash_ascii[shai * 2 + 1] = shachars[(sha_hash_binary[shai] & 0x0F)];
-    }
-    Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj("sha1_hash", -1) );
-    Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj(sha_hash_ascii, SHA_DIGEST_LENGTH * 2) );
-
-#endif
-    Tcl_ListObjAppendElement( interp, certPtr,
-	    Tcl_NewStringObj( "subject", -1) );
-    Tcl_ListObjAppendElement( interp, certPtr,
-	    Tcl_NewStringObj( subject, -1) );
-
-    Tcl_ListObjAppendElement( interp, certPtr,
-	    Tcl_NewStringObj( "issuer", -1) );
-    Tcl_ListObjAppendElement( interp, certPtr,
-	    Tcl_NewStringObj( issuer, -1) );
-
-    Tcl_ListObjAppendElement( interp, certPtr,
-	    Tcl_NewStringObj( "notBefore", -1) );
-    Tcl_ListObjAppendElement( interp, certPtr,
-	    Tcl_NewStringObj( notBefore, -1) );
-
-    Tcl_ListObjAppendElement( interp, certPtr,
-	    Tcl_NewStringObj( "notAfter", -1) );
-    Tcl_ListObjAppendElement( interp, certPtr,
-	    Tcl_NewStringObj( notAfter, -1) );
-
-    Tcl_ListObjAppendElement( interp, certPtr,
-	    Tcl_NewStringObj( "serial", -1) );
-    Tcl_ListObjAppendElement( interp, certPtr,
-	    Tcl_NewStringObj( serial, -1) );
-
-    Tcl_ListObjAppendElement( interp, certPtr,
-	    Tcl_NewStringObj( "certificate", -1) );
-    Tcl_ListObjAppendElement( interp, certPtr,
-	    Tcl_NewStringObj( certStr, -1) );
-
-    return certPtr;
-}

Index: win/makefile.vc
==================================================================
--- win/makefile.vc
+++ win/makefile.vc
@@ -1,32 +1,70 @@
-# call nmake with additional parameter SSL_INSTALL_FOLDER= with the
-# OpenSSL instalation folder following.
-
-PROJECT=tls
-DOTVERSION = 1.8.0
-
-PRJLIBNAME	= $(PROJECT)$(VERSION)$(SUFX).$(EXT)
-PRJLIB		= $(OUT_DIR)\$(PRJLIBNAME)
+#------------------------------------------------------------- -*- makefile -*-
+#
+# Makefile for TclTLS extensions.
+#
+# Basic build, test and install
+#   nmake /f makefile.vc INSTALLDIR=c:\path\to\tcl
+#   nmake /f makefile.vc INSTALLDIR=c:\path\to\tcl test
+#   nmake /f makefile.vc INSTALLDIR=c:\path\to\tcl install
+#
+# For other build options (debug, static etc.),
+# See TIP 477 (https://core.tcl-lang.org/tips/doc/main/tip/477.md) for
+# detailed documentation.
+#
+# See the file "license.terms" for information on usage and redistribution
+# of this file, and for a DISCLAIMER OF ALL WARRANTIES.
+#
+#------------------------------------------------------------------------------
+
+# The name of the package
+PROJECT=tls
 
 !include "rules-ext.vc"
 
-PRJ_INCLUDES	= -I"$(SSL_INSTALL_FOLDER)\include"
-PRJ_DEFINES =  -D NO_SSL2 -D NO_SSL3 -D _CRT_SECURE_NO_WARNINGS
+# Define the object files and resource file that make up the extension.
+# Note the resource file does not makes sense if doing a static library build
+# hence it is under that condition. TMP_DIR is the output directory
+# defined by rules for object files.
+PRJ_OBJS = $(TMP_DIR)\tls.obj \
+	$(TMP_DIR)\tlsBIO.obj \
+	$(TMP_DIR)\tlsIO.obj \
+	$(TMP_DIR)\tlsX509.obj
+
+# Define any additional project include flags
+# SSL_INSTALL_FOLDER = with the OpenSSL installation folder following.
+PRJ_INCLUDES = -I"$(SSL_INSTALL_FOLDER)\include" -I"$(OPENSSL_INSTALL_DIR)\include"
 
+# Define any additional compiler flags that might be required for the project
+PRJ_DEFINES = -D NO_SSL2 -D NO_SSL3 -D _CRT_SECURE_NO_WARNINGS
+ 
+# SSL Libs:
+#    1. ${LIBCRYPTO}.dll
+#    2. ${LIBSSL}.dll
+# Where LIBCRYPTO (#1.) and LIBSSL (#2.) are defined as follows:
+#    v1.1: libcrypto-1.1-x64.dll and libssl-1.1-x64.dll
+#    v3: libcrypto-3-x64.dll and libssl-3-x64.dll
+# On *nix libcrypto.so.* and libssl.so.* (where suffix is a version indicator).
+#
 PRJ_LIBS = \
 	"$(SSL_INSTALL_FOLDER)\lib\libssl.lib" \
 	"$(SSL_INSTALL_FOLDER)\lib\libcrypto.lib" \
-	WS2_32.LIB GDI32.LIB ADVAPI32.LIB CRYPT32.LIB USER32.LIB 
-
-
-PRJ_OBJS = $(TMP_DIR)\tls.obj \
-               $(TMP_DIR)\tlsBIO.obj \
-               $(TMP_DIR)\tlsIO.obj \
-               $(TMP_DIR)\tlsX509.obj
-			   
+	WS2_32.LIB GDI32.LIB ADVAPI32.LIB CRYPT32.LIB USER32.LIB
+
+# Define the standard targets
 !include "targets.vc"
 
+# Project specific targets
+
+# We must define a pkgindex target that will create a pkgIndex.tcl
+# file in the $(OUT_DIR) directory. We can just redirect to the
+# default-pkgindex target for our sample extension.
 pkgindex: default-pkgindex
-install:
-	copy "$(SSL_INSTALL_FOLDER)\bin\libcrypto-3-x64.dll" "$(INSTALLDIR)\$(PROJECT)$(DOTVERSION)\libcrypto-3-x64.dll"
-	copy "$(SSL_INSTALL_FOLDER)\bin\libssl-3-x64.dll" "$(INSTALLDIR)\$(PROJECT)$(DOTVERSION)\libssl-3-x64.dll"
+
+# The default install target only installs binaries and scripts so add
+# an additional target for our documentation. Note this *adds* a target
+# since no commands are listed after it. The original targets for
+# install (from targets.vc) will remain.
+install: default-pkgindex-tea default-install default-install-docs-html
 
+# Test package
+test: default-test