Index: configure ================================================================== --- configure +++ configure @@ -1,8 +1,8 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.59 for tls 1.6.6. +# Generated by GNU Autoconf 2.59 for tls 1.6.7. # # Copyright (C) 2003 Free Software Foundation, Inc. # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. ## --------------------- ## @@ -265,12 +265,12 @@ : ${ac_max_here_lines=38} # Identity of this package. PACKAGE_NAME='tls' PACKAGE_TARNAME='tls' -PACKAGE_VERSION='1.6.6' -PACKAGE_STRING='tls 1.6.6' +PACKAGE_VERSION='1.6.7' +PACKAGE_STRING='tls 1.6.7' PACKAGE_BUGREPORT='' # Factoring default headers for most tests. ac_includes_default="\ #include @@ -775,11 +775,11 @@ # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures tls 1.6.6 to adapt to many kinds of systems. +\`configure' configures tls 1.6.7 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. @@ -832,11 +832,11 @@ _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of tls 1.6.6:";; + short | recursive ) echo "Configuration of tls 1.6.7:";; esac cat <<\_ACEOF Optional Features: --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) @@ -968,11 +968,11 @@ fi test -n "$ac_init_help" && exit 0 if $ac_init_version; then cat <<\_ACEOF -tls configure 1.6.6 +tls configure 1.6.7 generated by GNU Autoconf 2.59 Copyright (C) 2003 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. @@ -982,11 +982,11 @@ exec 5>config.log cat >&5 <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by tls $as_me 1.6.6, which was +It was created by tls $as_me 1.6.7, which was generated by GNU Autoconf 2.59. Invocation command line was $ $0 $@ _ACEOF @@ -10809,11 +10809,11 @@ ## Running $as_me. ## _ASBOX } >&5 cat >&5 <<_CSEOF -This file was extended by tls $as_me 1.6.6, which was +This file was extended by tls $as_me 1.6.7, which was generated by GNU Autoconf 2.59. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS CONFIG_LINKS = $CONFIG_LINKS @@ -10864,11 +10864,11 @@ Report bugs to ." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -tls config.status 1.6.6 +tls config.status 1.6.7 configured by $0, generated by GNU Autoconf 2.59, with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\" Copyright (C) 2003 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation Index: configure.in ================================================================== --- configure.in +++ configure.in @@ -9,18 +9,18 @@ dnl to use the RSA BSAFE libraries for any product developed for dnl commercial use. Licensing information for BSAFE SSL-C may be dnl obtained from RSA Data Scurity Inc., San Mateo, California, USA. dnl Their home page on the web is "www.rsasecurity.com". # -# RCS: @(#) $Id: configure.in,v 1.30 2015/06/06 09:07:08 apnadkarni Exp $ +# RCS: @(#) $Id: configure.in,v 1.31 2015/07/07 17:16:02 andreas_kupries Exp $ #-------------------------------------------------------------------- # macro used to verify that the configure script can find the sources #-------------------------------------------------------------------- -AC_INIT([tls], [1.6.6]) +AC_INIT([tls], [1.6.7]) TEA_INIT([3.8]) AC_CONFIG_AUX_DIR(tclconfig) Index: tls.c ================================================================== --- tls.c +++ tls.c @@ -3,11 +3,11 @@ * some modifications: * Copyright (C) 2000 Ajuba Solutions * Copyright (C) 2002 ActiveState Corporation * Copyright (C) 2004 Starfish Systems * - * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tls.c,v 1.36 2015/05/01 18:44:34 andreas_kupries Exp $ + * $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tls.c,v 1.37 2015/07/07 17:16:02 andreas_kupries Exp $ * * TLS (aka SSL) Channel - can be layered on any bi-directional * Tcl_Channel (Note: Requires Trf Core Patch) * * This was built (almost) from scratch based upon observation of @@ -62,11 +62,12 @@ static int UnimportObjCmd _ANSI_ARGS_ ((ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[])); static SSL_CTX *CTX_Init _ANSI_ARGS_((State *statePtr, int proto, char *key, - char *cert, char *CAdir, char *CAfile, char *ciphers)); + char *cert, char *CAdir, char *CAfile, char *ciphers, + char *DHparams)); static int TlsLibInit _ANSI_ARGS_ (()) ; #define TLS_PROTO_SSL2 0x01 #define TLS_PROTO_SSL3 0x02 @@ -77,33 +78,50 @@ /* * Static data structures */ -#ifndef NO_DH -/* from openssl/apps/s_server.c */ - -static unsigned char dh512_p[]={ - 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, - 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, - 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, - 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, - 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, - 0x47,0x74,0xE8,0x33, +#ifndef OPENSSL_NO_DH +/* code derived from output of 'openssl dhparam -C 2048' */ + +static unsigned char dh2048_p[]={ + 0xEC,0xFD,0x6F,0x66,0xD8,0xBC,0xB4,0xCB,0xD7,0xE7,0xB4,0xAE, + 0xEC,0xC0,0x06,0x25,0x40,0x9F,0x3F,0xC4,0xAC,0x34,0x19,0x36, + 0x8A,0xAB,0xA9,0xF6,0x45,0x36,0x87,0x1F,0x10,0x35,0x3F,0x90, + 0x00,0xC6,0x7A,0xE8,0x51,0xF4,0x7F,0x50,0x0F,0xC2,0x82,0x91, + 0xAD,0x60,0x1B,0x49,0xB1,0x0B,0x23,0xC3,0x37,0xAE,0x0D,0x2C, + 0x49,0xC6,0xFB,0x60,0x9D,0x50,0x2F,0x8C,0x2F,0xDE,0xE6,0x5F, + 0x53,0x8B,0x5F,0xF9,0x70,0x16,0xEE,0x51,0xD1,0xAB,0x02,0x48, + 0x61,0xF1,0xA0,0xD7,0xBD,0x04,0x24,0xF0,0xE4,0xD1,0x0A,0x4C, + 0x28,0xDC,0x22,0x78,0x7C,0xED,0x2A,0xFA,0xF4,0x57,0x7C,0xAE, + 0xDF,0x52,0xC6,0xA2,0x11,0x28,0xC5,0x3B,0xB8,0x2F,0x95,0x3F, + 0x1E,0x05,0x66,0xFE,0x7D,0x1A,0x73,0xA0,0x45,0xF8,0xBB,0x8C, + 0x64,0xB9,0xA9,0x4D,0x23,0xBE,0x20,0x60,0xA2,0xF7,0xC7,0xD8, + 0xD8,0x49,0x28,0x9A,0x81,0xAC,0xF9,0x7F,0x3C,0xFC,0xBE,0x25, + 0x5B,0x1D,0xB6,0xAB,0x08,0x06,0x11,0x8D,0x94,0x69,0x3C,0x68, + 0x98,0x5A,0x90,0xF8,0xEB,0x19,0xCA,0x9F,0x1C,0x50,0x96,0x53, + 0xEF,0xEC,0x1B,0x93,0x4F,0x53,0xB7,0xD9,0x04,0x8E,0x48,0x99, + 0x6E,0x24,0xFF,0x66,0xF5,0xB0,0xDF,0x00,0xBA,0x22,0xE2,0xB6, + 0xE3,0x3A,0xC2,0x95,0xB1,0x14,0x68,0xFB,0xA5,0x37,0x22,0x78, + 0x56,0x5C,0xA4,0x23,0x31,0x02,0x97,0x7D,0xA9,0x84,0x0B,0x12, + 0x26,0x58,0x2F,0x86,0x10,0xAD,0xB0,0xAB,0xB9,0x7B,0x05,0x9A, + 0xDE,0x11,0xF1,0xE7,0x34,0xC7,0x95,0x42,0x1C,0x4F,0xA9,0xA8, + 0x92,0xDF,0x3F,0x7B, }; -static unsigned char dh512_g[]={ +static unsigned char dh2048_g[]={ 0x02, }; -static DH *get_dh512() + +static DH *get_dh2048() { DH *dh=NULL; if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); - dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); + dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); + dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); if ((dh->p == NULL) || (dh->g == NULL)) return(NULL); return(dh); } @@ -729,10 +747,11 @@ char *key = NULL; char *cert = NULL; char *ciphers = NULL; char *CAfile = NULL; char *CAdir = NULL; + char *DHparams = NULL; char *model = NULL; #ifndef OPENSSL_NO_TLSEXT char *servername = NULL; /* hostname for Server Name Indication */ #endif #if defined(NO_SSL2) @@ -776,10 +795,11 @@ OPTSTR( "-cadir", CAdir); OPTSTR( "-cafile", CAfile); OPTSTR( "-certfile", cert); OPTSTR( "-cipher", ciphers); OPTOBJ( "-command", script); + OPTSTR( "-dhparams", DHparams); OPTSTR( "-keyfile", key); OPTSTR( "-model", model); OPTOBJ( "-password", password); OPTBOOL( "-require", require); OPTBOOL( "-request", request); @@ -792,11 +812,11 @@ OPTBOOL( "-ssl3", ssl3); OPTBOOL( "-tls1", tls1); OPTBOOL( "-tls1.1", tls1_1); OPTBOOL( "-tls1.2", tls1_2); - OPTBAD( "option", "-cadir, -cafile, -certfile, -cipher, -command, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2"); + OPTBAD( "option", "-cadir, -cafile, -certfile, -cipher, -command, -dhparams, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2"); return TCL_ERROR; } if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER; if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; @@ -807,15 +827,16 @@ proto |= (tls1 ? TLS_PROTO_TLS1 : 0); proto |= (tls1_1 ? TLS_PROTO_TLS1_1 : 0); proto |= (tls1_2 ? TLS_PROTO_TLS1_2 : 0); /* reset to NULL if blank string provided */ - if (cert && !*cert) cert = NULL; - if (key && !*key) key = NULL; - if (ciphers && !*ciphers) ciphers = NULL; - if (CAfile && !*CAfile) CAfile = NULL; - if (CAdir && !*CAdir) CAdir = NULL; + if (cert && !*cert) cert = NULL; + if (key && !*key) key = NULL; + if (ciphers && !*ciphers) ciphers = NULL; + if (CAfile && !*CAfile) CAfile = NULL; + if (CAdir && !*CAdir) CAdir = NULL; + if (DHparams && !*DHparams) DHparams = NULL; /* new SSL state */ statePtr = (State *) ckalloc((unsigned) sizeof(State)); memset(statePtr, 0, sizeof(State)); @@ -862,12 +883,12 @@ Tls_Free((char *) statePtr); return TCL_ERROR; } ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx; } else { - if ((ctx = CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers)) - == (SSL_CTX*)0) { + if ((ctx = CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers, + DHparams)) == (SSL_CTX*)0) { Tls_Free((char *) statePtr); return TCL_ERROR; } } @@ -1023,18 +1044,19 @@ * *------------------------------------------------------------------- */ static SSL_CTX * -CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers) +CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers, DHparams) State *statePtr; int proto; char *key; char *cert; char *CAdir; char *CAfile; char *ciphers; + char *DHparams; { Tcl_Interp *interp = statePtr->interp; SSL_CTX *ctx = NULL; Tcl_DString ds; Tcl_DString ds1; @@ -1121,11 +1143,11 @@ #if !defined(NO_TLS1_2) off |= (ENABLED(proto, TLS_PROTO_TLS1_2) ? 0 : SSL_OP_NO_TLSv1_2); #endif break; } - + ctx = SSL_CTX_new (method); SSL_CTX_set_app_data( ctx, (VOID*)interp); /* remember the interpreter */ SSL_CTX_set_options( ctx, SSL_OP_ALL); /* all SSL bug workarounds */ SSL_CTX_set_options( ctx, off); /* all SSL bug workarounds */ @@ -1139,13 +1161,45 @@ #ifndef BSAFE SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)statePtr); #endif -#ifndef NO_DH + /* read a Diffie-Hellman parameters file, or use the built-in one */ +#ifdef OPENSSL_NO_DH + if (DHparams != NULL) { + Tcl_AppendResult(interp, + "DH parameter support not available", (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } +#else { - DH* dh = get_dh512(); + DH* dh; + if (DHparams != NULL) { + BIO *bio; + Tcl_DStringInit(&ds); + bio = BIO_new_file(F2N(DHparams, &ds), "r"); + if (!bio) { + Tcl_DStringFree(&ds); + Tcl_AppendResult(interp, + "Could not find DH parameters file", (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } + + dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); + BIO_free(bio); + Tcl_DStringFree(&ds); + if (!dh) { + Tcl_AppendResult(interp, + "Could not read DH parameters from file", (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } + } else { + dh = get_dh2048(); + } SSL_CTX_set_tmp_dh(ctx, dh); DH_free(dh); } #endif Index: tls.htm ================================================================== --- tls.htm +++ tls.htm @@ -169,10 +169,12 @@ their own validation of the certificate in place of the default validation provided by OpenSSL.
See CALLBACK OPTIONS for further discussion. +
-dhparams filename
+
Provide a Diffie-Hellman parameters file.
-keyfile filename
Provide the private key file. (default: value of -certfile)
-model channel
This will force this channel to share the same SSL_CTX Index: tls.tcl ================================================================== --- tls.tcl +++ tls.tcl @@ -1,9 +1,9 @@ # # Copyright (C) 1997-2000 Matt Newman # -# $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tls.tcl,v 1.13 2014/12/08 19:09:06 andreas_kupries Exp $ +# $Header: /home/rkeene/tmp/cvs2fossil/../tcltls/tls/tls/tls.tcl,v 1.14 2015/07/07 17:16:03 andreas_kupries Exp $ # namespace eval tls { variable logcmd tclLog variable debug 0 @@ -69,16 +69,16 @@ set server 1 set callback [lindex $args [expr {$idx+1}]] set args [lreplace $args $idx [expr {$idx+1}]] set usage "wrong # args: should be \"tls::socket -server command ?options? port\"" - set options "-cadir, -cafile, -certfile, -cipher, -command, -keyfile, -myaddr, -password, -request, -require, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2" + set options "-cadir, -cafile, -certfile, -cipher, -command, -dhparams, -keyfile, -myaddr, -password, -request, -require, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2" } else { set server 0 set usage "wrong # args: should be \"tls::socket ?options? host port\"" - set options "-async, -cadir, -cafile, -certfile, -cipher, -command, -keyfile, -myaddr, -myport, -password, -request, -require, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2" + set options "-async, -cadir, -cafile, -certfile, -cipher, -command, -dhparams, -keyfile, -myaddr, -myport, -password, -request, -require, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2" } set argc [llength $args] set sopts {} set iopts [concat [list -server $server] $defaults] ;# Import options @@ -92,10 +92,11 @@ *,-cadir - *,-cafile - *,-certfile - *,-cipher - *,-command - + *,-dhparams - *,-keyfile - *,-password - *,-request - *,-require - *,-servername -