Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tls for openSUSE:Factory checked in at 2021-04-21 21:00:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tls (Old) and /work/SRC/openSUSE:Factory/.tls.new.12324 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tls" Wed Apr 21 21:00:03 2021 rev:22 rq:887015 version:1.7.22 Changes: -------- --- /work/SRC/openSUSE:Factory/tls/tls.changes 2018-02-01 21:31:54.346007980 +0100 +++ /work/SRC/openSUSE:Factory/.tls.new.12324/tls.changes 2021-04-21 21:00:32.210308834 +0200 @@ -1,0 +2,11 @@ +Tue Apr 20 13:01:00 UTC 2021 - Reinhard Max <[email protected]> + +- Update to version 1.7.22 + * Allow loading certificates and keys as values instead of files. + * add "version" element with SSL/TLS protocol version to tls::status + * Obsoletes tls-fix-channel-state.patch +- Add 2048 bit keys for testing, because recent openssl versions + don't accept 1024 bits anymore (tls-test-certs.tar.gz). +- Update upstream URLs. + +------------------------------------------------------------------- Old: ---- tcltls-1.7.14.tar.gz tls-fix-channel-state.patch New: ---- tcltls-1.7.22.tar.gz tls-test-certs.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tls.spec ++++++ --- /var/tmp/diff_new_pack.zIemBY/_old 2021-04-21 21:00:32.710309621 +0200 +++ /var/tmp/diff_new_pack.zIemBY/_new 2021-04-21 21:00:32.714309628 +0200 @@ -1,7 +1,7 @@ # # spec file for package tls # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -20,11 +20,11 @@ Summary: Tcl Binding for the OpenSSL Library License: BSD-3-Clause Group: Development/Libraries/Tcl -Version: 1.7.14 +Version: 1.7.22 Release: 0 -Url: http://tls.sourceforge.net -Source0: tcl%name-%version.tar.gz -Patch0: tls-fix-channel-state.patch +URL: https://core.tcl-lang.org/tcltls +Source0: https://core.tcl-lang.org/tcltls/uv/tcltls-%version.tar.gz +Source1: %name-test-certs.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: pkgconfig(openssl) BuildRequires: pkgconfig(tcl) @@ -36,8 +36,7 @@ command with additional options for controlling the SSL session. %prep -%setup -q -n tcl%name-%version -%patch0 +%setup -q -a 1 -n tcl%name-%version %build %configure \ ++++++ tcltls-1.7.14.tar.gz -> tcltls-1.7.22.tar.gz ++++++ ++++ 2099 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tcltls-1.7.14/ChangeLog new/tcltls-1.7.22/ChangeLog --- old/tcltls-1.7.14/ChangeLog 2017-11-08 16:01:00.000000000 +0100 +++ new/tcltls-1.7.22/ChangeLog 2020-10-12 22:40:17.000000000 +0200 @@ -1,7 +1,7 @@ -TclTLS 1.7.14 +TclTLS 1.7.22 ========== -Release Date: Wed Nov 8 09:00:58 CST 2017 +Release Date: Mon Oct 12 15:40:16 CDT 2020 https://tcltls.rkeene.org/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tcltls-1.7.14/MD5SUMS new/tcltls-1.7.22/MD5SUMS --- old/tcltls-1.7.14/MD5SUMS 2017-11-08 16:03:37.000000000 +0100 +++ new/tcltls-1.7.22/MD5SUMS 2020-10-12 22:42:28.000000000 +0200 @@ -1,16 +1,18 @@ -a72cfcda2469adc77b5cd22d293ff279 ChangeLog -b4911c442d381222619d947e15e00bc8 Makefile.in -589be157b61d537eaffe12d87b4d2693 README.txt -f0808010d3137320e376b14583de5d5c aclocal.m4 +45e293fa23d2d47a17702bdf4c9962f2 ChangeLog +ae625e8e789f3b27841d7a9d3bc1c905 Makefile.in +36f45524f825591a5f363d1173365efd README.txt +52d5b29c1348cb35fc2f108cdddae34b aclocal.m4 cb63eb753c1e306e3c593c4903d26c66 config.guess 9f3562619f0564ef89b6852b2d3f140d config.sub -c3f9d4ef1779fc0f9bac932482186461 configure -c7a08b9584f1dfdf8005e6fdd56c52a5 configure.ac +fa51784f2948356e20cfc7dbbff5672a configure +be7078232d12dee86a817f7095220d0f configure.ac 633d73b964f3ab08d40d7ff924ed4c69 gen_dh_params 361482dd6b5b5eb7090fff3986fba68a install-sh 8312a7a9e971ec004d05e3c201812bd9 license.terms -2eb13b4dd9086b9e74e048e7a087e0de pkgIndex.tcl.in -b8f69eaf82b78ea535e86d6e87e35eef tclOpts.h +b773271903217e6dce87ea45be28cf2e pkgIndex.tcl.in +b75bcff5b211b87d6d9faa4df6b148ab tclOpts.h +d2a5ae5ca22246a7c3cbca646e85e3f5 tcltls.syms.in +ed21130506e62a2fe7060ab9fe459351 tcltls.vers 10bee7f0536a1787d2141453f6916569 tests/all.tcl da282fce1de7a55e6cf12234d12c336a tests/certs/README.txt eb1f6c4cb1f2794e2913f40cc7a11dd5 tests/certs/ca.pem @@ -39,11 +41,11 @@ 684f4a43af8c0fb2a2c3cb59631cac38 tests/simpleClient.tcl 3c2467c2a113309da6797957c16dc9b0 tests/simpleServer.tcl 96188512fde4891928201f48fc919559 tests/tlsIO.test -9cdaa05989039af9496466b263099698 tls.c +6291a8a9895927beec8085e09b3bb641 tls.c 3e3cc4de47f7315036ef5c25f6659a90 tls.h -aa381e15f681e2f14e6a8f9ce0ee9e6d tls.htm -b7a675ff91a8e84f2f320e35091fe262 tls.tcl -f91426bd427108dd73fc10e76a504455 tlsBIO.c -6bfabe5017fa4cf1768222cad4902c56 tlsIO.c +1752ccf3c5a8f80751a871259ffb5443 tls.htm +c0311896fc77cdd5c1e6c0d595006bd1 tls.tcl +5f0f52585eec3e2b5595b7420af033a5 tlsBIO.c +fcd6dcd2b3d90c718a06fcf08d42f727 tlsIO.c 7a955de5fcbe78e0a83280fd84919cb0 tlsInt.h -1b51ff389b7cca07f132d8368a6135ea tlsX509.c +3b02f671066ba2e2f0d008589a2179d8 tlsX509.c diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tcltls-1.7.14/README.txt new/tcltls-1.7.22/README.txt --- old/tcltls-1.7.14/README.txt 2017-11-08 16:01:00.000000000 +0100 +++ new/tcltls-1.7.22/README.txt 2020-10-12 22:40:17.000000000 +0200 @@ -1,7 +1,7 @@ -TclTLS 1.7.14 +TclTLS 1.7.22 ========== -Release Date: Wed Nov 8 09:00:58 CST 2017 +Release Date: Mon Oct 12 15:40:16 CDT 2020 https://tcltls.rkeene.org/ @@ -26,6 +26,8 @@ TLS 1.7 and newer require Tcl 8.4.0+, older versions may be used if older versions of Tcl need to be used. +TclTLS requires OpenSSL or LibreSSL in order to be compiled and function. + Non-exclusive credits for TLS are: Original work: Matt Newman @ Novadigm Updates: Jeff Hobbs @ ActiveState diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tcltls-1.7.14/SHA256SUMS new/tcltls-1.7.22/SHA256SUMS --- old/tcltls-1.7.14/SHA256SUMS 2017-11-08 16:03:37.000000000 +0100 +++ new/tcltls-1.7.22/SHA256SUMS 2020-10-12 22:42:28.000000000 +0200 @@ -1,17 +1,19 @@ -9026196d0d0d0e2798e1438ee6740292ddd04435f789c45f1205eaacd2622f45 ChangeLog -cf55f35c35762833ee60ada847dc2f090dae8b6e78a09c61e815abeba8db0c87 MD5SUMS -8dbe83339595a528364b4046cf0f2ca3abbfb8d570fdedc99002b315db827fdf Makefile.in -33ad71699712cee60a37791cd6d680362d0775c3d1ff9c449be48fc813f7145e README.txt -f0b20fc567d6b08df34789095c41c7214fcabe307cb1681f55f1685c7c27a14b aclocal.m4 +c0acae9cd2476602ca99b837ebe29c966c3a55164779baebe8b5805e55527ec8 ChangeLog +70d312de5b877d228af322c3e352444be70933bc58d86314d3be71c811f8fec1 MD5SUMS +b842e6e20a4766e0a347fa3a7fe54a8771f4435f523659650c0f5b0aa4221dfe Makefile.in +012091a4ce376a3a2d3d10d3d382fe08d9c827b194a8b390aee27defd4495b8e README.txt +38227a215cb77be63fd4a8c3e6f536df2083a861ae1f1fcf6354b67864663e7b aclocal.m4 b7eab9b8a73dc6e0421366bca6921cd2621dab6c3909d6e3bebf863011442d15 config.guess 82745ce935695e7984a053c155a64b9ad16ece3a07d931cc90ab3fb28b7221af config.sub -fde47b68bf011dfb01e18d592e900ea9840af2774821914deebf00b8c95190f5 configure -5bd425f9fa16188d79ff6e34ba5b0cf74ca2f8775525885d5e2eb96797fab9d5 configure.ac +8e36b618b2ad5134b72227660a7b1d1fea4f8f16efe909bd99fd972b04f32aac configure +d7e632b38dca8b5bb403cfc74fed7b257540a1a7c281885fcd7c0a40edaea788 configure.ac aa4587b53ba975e16ca2939c00c53970acd1e9652ab2f189957e2f1fef831ca0 gen_dh_params d7c113e5484fce8b48f9a34a7a91e385ec279247d415b0b7d749bd56ad8ee8a2 install-sh ad18d940fa0d42b632f0008e136a871d0c0de5957a34a12fc742928c5e7e7d40 license.terms -ce87fea64b412e3df34a8cf179faf95630779008ed57573781c99b38df7d3c43 pkgIndex.tcl.in -e1eb6ca1424020229230edbdd11faa6e01feaed4bd6e128db6f084c6b941b309 tclOpts.h +d4514cc92583797c74619ffc3324aad9697e6635726e7775c6cb31cb482f69c4 pkgIndex.tcl.in +ed77925b19247e7acbaa915cc732e9ab6e0d3ac8cea19adc3245c2cc7d419d71 tclOpts.h +198d412135c8ce2952ae19c0ab290b10242c331d1dec22c79aaaf9f170a9aa83 tcltls.syms.in +25ea0b39640d2ffd6076693b5fe4f5fc53d21ffbbd4403063b167b48685cd081 tcltls.vers 57b4d96a21af3c4f5e496b9e859c62559c03553bac56f15e81384bc1764a9f1d tests/all.tcl 7278cc0aa7f2b4ed13986787c37ff5cb398b93b7f4dbe5d648706c3ccc03e2f9 tests/certs/README.txt 07f009e0f29a8553f2aa6162aeae9a45234442d8a2d91e74234c03df10ee2a28 tests/certs/ca.pem @@ -40,11 +42,11 @@ d4ffa4bca2e6cde0757defd68b950a166d6edd5326fa60fbebcda97982ec8dd2 tests/simpleClient.tcl 34a3729b03e8c20638b8c6312d83f93ce5dc85e44331d4fbed6e17e9f7e3b221 tests/simpleServer.tcl 41a78c006b07b0881c308adbe4a3202d7a48f9d665007ad360b3a812b4963082 tests/tlsIO.test -a9b1c59da3be25623d4d1571eee0397aa02118e965810ac73a6df99992d095f3 tls.c +81016ae05e74cd3c296c93696866cf548ec2ab5af6855a723e81adbd2eeebcd5 tls.c ed591721a8f875b9c6936398cb157af11642ca3e65cfc65d81bae70729a011b6 tls.h -a6687c7559726a8551d6dda84e2ced372e10af2c8c09dafff2e5b81e4e385010 tls.htm -d6c0ff7a2a36946e2a9c2ce2d2ab35abbe0490ae8104e26617b1e2e5e591f087 tls.tcl -19ec5e773f2bf4c983393f6eec2d81130403b2fd91269987128fa6bed0381883 tlsBIO.c -f11a329a63ac6e3e7e343a5852292b37c5d70cf10c9cc74270b77906a7a498c5 tlsIO.c +6cc5757511fb1b9ccf0069c6b284ce8c56516329bca4bc8cd5d296a5af21c5f8 tls.htm +b11300fdfd8a848b6a48937f15b8e7ec63b9a30ae7dd5564a3abc000cf92724c tls.tcl +235c73405db0c96f74d169036069c5b88f018fa243ba01692d4cc82d48048b56 tlsBIO.c +1f497fbb835a2daa70acbc04f8de0fb86d5ca207fdab1a55a980fd840b0f1571 tlsIO.c 7ebfb793c5ae294b27046144783378705e7a3f59bf725acf64c9bb232c264f03 tlsInt.h -b890da082dbe254ca1e3a9139204e6b7fd9cb6d22a4f688d75a67249651c1d7c tlsX509.c +f27dc81c2e04a4071419ef4b40e0bd26ea3b6d14ae16f1d701bce780b337d3d6 tlsX509.c diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tcltls-1.7.14/configure.ac new/tcltls-1.7.22/configure.ac --- old/tcltls-1.7.14/configure.ac 2017-11-08 16:00:28.000000000 +0100 +++ new/tcltls-1.7.22/configure.ac 2020-10-12 22:39:22.000000000 +0200 @@ -1,5 +1,5 @@ dnl Define ourselves -AC_INIT(tcltls, 1.7.14) +AC_INIT(tcltls, 1.7.22) dnl Checks for programs. AC_PROG_CC @@ -110,7 +110,7 @@ fi ]) -dnl ## TLSv1.1: Enabled by default +dnl ## TLSv1.2: Enabled by default tcltls_ssl_tls1_2='true' AC_ARG_ENABLE([tlsv1.2], AS_HELP_STRING([--disable-tlsv1.2], [disable TLSv1.2 protocol]), [ if test "$enableval" = "yes"; then @@ -120,6 +120,17 @@ fi ]) +dnl ## TLSv1.3: Enabled by default +tcltls_ssl_tls1_3='true' +AC_ARG_ENABLE([tlsv1.3], AS_HELP_STRING([--disable-tlsv1.3], [disable TLSv1.3 protocol]), [ + if test "$enableval" = "yes"; then + tcltls_ssl_tls1_3='force' + else + tcltls_ssl_tls1_3='false' + fi +]) + + dnl Enable support for a debugging build tcltls_debug='false' AC_ARG_ENABLE([debug], AS_HELP_STRING([--enable-debug], [enable debugging parameters]), [ @@ -170,9 +181,25 @@ ]) dnl Enable hardening -AX_CHECK_COMPILE_FLAG([-fstack-protector-all], [CFLAGS="$CFLAGS -fstack-protector-all"]) -AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CFLAGS="$CFLAGS -fno-strict-overflow"]) -AC_DEFINE([_FORTIFY_SOURCE], [2], [Enable fortification]) +tcltls_enable_hardening='auto' +AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable hardening attempts]), [ + tcltls_enable_hardening="$enableval" +]) +if test "$tcltls_enable_hardening" = 'auto'; then + tcltls_enable_hardening='true' + if test "$TCLEXT_BUILD" = 'static'; then + tcltls_enable_hardening='false' + fi +elif test "$tcltls_enable_hardening" = 'yes'; then + tcltls_enable_hardening='true' +else + tcltls_enable_hardening='false' +fi +if test "$tcltls_enable_hardening" = 'true'; then + AX_CHECK_COMPILE_FLAG([-fstack-protector-all], [CFLAGS="$CFLAGS -fstack-protector-all"]) + AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CFLAGS="$CFLAGS -fno-strict-overflow"]) + AC_DEFINE([_FORTIFY_SOURCE], [2], [Enable fortification]) +fi dnl XXX:TODO: Automatically determine the SSL library to use dnl defaulting to OpenSSL for compatibility reasons @@ -218,5 +245,12 @@ fi fi +dnl Enable a stable ABI +DC_SETUP_STABLE_API([${srcdir}/tcltls.vers], tcltls.syms) +if test "$tcltls_debug" = 'true'; then + WEAKENSYMS=':' + REMOVESYMS=':' +fi + dnl Produce output -AC_OUTPUT(Makefile pkgIndex.tcl) +AC_OUTPUT(Makefile pkgIndex.tcl tcltls.syms) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tcltls-1.7.14/pkgIndex.tcl.in new/tcltls-1.7.22/pkgIndex.tcl.in --- old/tcltls-1.7.14/pkgIndex.tcl.in 2017-11-08 16:00:28.000000000 +0100 +++ new/tcltls-1.7.22/pkgIndex.tcl.in 2020-10-12 22:39:22.000000000 +0200 @@ -3,7 +3,7 @@ if {{@TCLEXT_BUILD@} eq "static"} { load {} Tls } else { - load [file join $dir tcltls.@SHOBJEXT@] Tls + load [file join $dir @EXTENSION_TARGET@] Tls } set tlsTclInitScript [file join $dir tls.tcl] @@ -12,5 +12,5 @@ } }} $dir] } elseif {[package vsatisfies [package present Tcl] 8.4]} { - package ifneeded tls @PACKAGE_VERSION@ [list load [file join $dir tcltls.@SHOBJEXT@] Tls] + package ifneeded tls @PACKAGE_VERSION@ [list load [file join $dir @EXTENSION_TARGET@] Tls] } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tcltls-1.7.14/tclOpts.h new/tcltls-1.7.22/tclOpts.h --- old/tcltls-1.7.14/tclOpts.h 2017-11-08 16:00:28.000000000 +0100 +++ new/tcltls-1.7.22/tclOpts.h 2020-10-12 22:39:22.000000000 +0200 @@ -45,6 +45,11 @@ } \ OPT_POSTLOG() +#define OPTBYTE(option, var, lvar) \ + OPT_PROLOG(option) \ + var = Tcl_GetByteArrayFromObj(objv[idx], &(lvar));\ + OPT_POSTLOG() + #define OPTBAD(type, list) \ Tcl_AppendResult(interp, "bad ", (type), \ " \"", opt, "\": must be ", \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tcltls-1.7.14/tcltls.syms.in new/tcltls-1.7.22/tcltls.syms.in --- old/tcltls-1.7.14/tcltls.syms.in 1970-01-01 01:00:00.000000000 +0100 +++ new/tcltls-1.7.22/tcltls.syms.in 2020-10-12 22:39:22.000000000 +0200 @@ -0,0 +1 @@ +@SYMPREFIX@Tls_Init diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tcltls-1.7.14/tcltls.vers new/tcltls-1.7.22/tcltls.vers --- old/tcltls-1.7.14/tcltls.vers 1970-01-01 01:00:00.000000000 +0100 +++ new/tcltls-1.7.22/tcltls.vers 2020-10-12 22:39:22.000000000 +0200 @@ -0,0 +1,6 @@ +{ + global: + Tls_Init; + local: + *; +}; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tcltls-1.7.14/tls.c new/tcltls-1.7.22/tls.c --- old/tcltls-1.7.14/tls.c 2017-11-08 16:00:28.000000000 +0100 +++ new/tcltls-1.7.22/tls.c 2020-10-12 22:39:22.000000000 +0200 @@ -61,9 +61,10 @@ static int UnimportObjCmd(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[]); -static SSL_CTX *CTX_Init(State *statePtr, int proto, char *key, - char *cert, char *CAdir, char *CAfile, char *ciphers, - char *DHparams); +static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key, + char *certfile, unsigned char *key_asn1, unsigned char *cert_asn1, + int key_asn1_len, int cert_asn1_len, char *CAdir, char *CAfile, + char *ciphers, char *DHparams); static int TlsLibInit(int uninitialize); @@ -72,6 +73,7 @@ #define TLS_PROTO_TLS1 0x04 #define TLS_PROTO_TLS1_1 0x08 #define TLS_PROTO_TLS1_2 0x10 +#define TLS_PROTO_TLS1_3 0x20 #define ENABLED(flag, mask) (((flag) & (mask)) == (mask)) /* @@ -498,10 +500,10 @@ Tcl_Obj *CONST objv[]; { static CONST84 char *protocols[] = { - "ssl2", "ssl3", "tls1", "tls1.1", "tls1.2", NULL + "ssl2", "ssl3", "tls1", "tls1.1", "tls1.2", "tls1.3", NULL }; enum protocol { - TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_NONE + TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_TLS1_3, TLS_NONE }; Tcl_Obj *objPtr; SSL_CTX *ctx = NULL; @@ -560,6 +562,15 @@ #else ctx = SSL_CTX_new(TLSv1_2_method()); break; #endif + case TLS_TLS1_3: +#if defined(NO_TLS1_3) + Tcl_AppendResult(interp, "protocol not supported", NULL); + return TCL_ERROR; +#else + ctx = SSL_CTX_new(TLS_method()); break; + SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION); + SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION); +#endif default: break; } @@ -719,24 +730,29 @@ { Tcl_Channel chan; /* The channel to set a mode on. */ State *statePtr; /* client state for ssl socket */ - SSL_CTX *ctx = NULL; - Tcl_Obj *script = NULL; - Tcl_Obj *password = NULL; + SSL_CTX *ctx = NULL; + Tcl_Obj *script = NULL; + Tcl_Obj *password = NULL; + Tcl_DString upperChannelTranslation, upperChannelBlocking, upperChannelEncoding, upperChannelEOFChar; int idx, len; - int flags = TLS_TCL_INIT; - int server = 0; /* is connection incoming or outgoing? */ - char *key = NULL; - char *cert = NULL; - char *ciphers = NULL; - char *CAfile = NULL; - char *CAdir = NULL; - char *DHparams = NULL; - char *model = NULL; + int flags = TLS_TCL_INIT; + int server = 0; /* is connection incoming or outgoing? */ + char *keyfile = NULL; + char *certfile = NULL; + unsigned char *key = NULL; + int key_len = 0; + unsigned char *cert = NULL; + int cert_len = 0; + char *ciphers = NULL; + char *CAfile = NULL; + char *CAdir = NULL; + char *DHparams = NULL; + char *model = NULL; #ifndef OPENSSL_NO_TLSEXT - char *servername = NULL; /* hostname for Server Name Indication */ + char *servername = NULL; /* hostname for Server Name Indication */ #endif int ssl2 = 0, ssl3 = 0; - int tls1 = 1, tls1_1 = 1, tls1_2 = 1; + int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1; int proto = 0; int verify = 0, require = 0, request = 1; @@ -757,6 +773,9 @@ #if defined(NO_TLS1_2) tls1_2 = 0; #endif +#if defined(NO_TLS1_3) + tls1_3 = 0; +#endif if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?"); @@ -781,11 +800,11 @@ OPTSTR( "-cadir", CAdir); OPTSTR( "-cafile", CAfile); - OPTSTR( "-certfile", cert); + OPTSTR( "-certfile", certfile); OPTSTR( "-cipher", ciphers); OPTOBJ( "-command", script); OPTSTR( "-dhparams", DHparams); - OPTSTR( "-keyfile", key); + OPTSTR( "-keyfile", keyfile); OPTSTR( "-model", model); OPTOBJ( "-password", password); OPTBOOL( "-require", require); @@ -800,8 +819,11 @@ OPTBOOL( "-tls1", tls1); OPTBOOL( "-tls1.1", tls1_1); OPTBOOL( "-tls1.2", tls1_2); + OPTBOOL( "-tls1.3", tls1_3); + OPTBYTE("-cert", cert, cert_len); + OPTBYTE("-key", key, key_len); - OPTBAD( "option", "-cadir, -cafile, -certfile, -cipher, -command, -dhparams, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2"); + OPTBAD( "option", "-cadir, -cafile, -cert, -certfile, -cipher, -command, -dhparams, -key, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, or tls1.3"); return TCL_ERROR; } @@ -814,14 +836,17 @@ proto |= (tls1 ? TLS_PROTO_TLS1 : 0); proto |= (tls1_1 ? TLS_PROTO_TLS1_1 : 0); proto |= (tls1_2 ? TLS_PROTO_TLS1_2 : 0); + proto |= (tls1_3 ? TLS_PROTO_TLS1_3 : 0); /* reset to NULL if blank string provided */ - if (cert && !*cert) cert = NULL; - if (key && !*key) key = NULL; - if (ciphers && !*ciphers) ciphers = NULL; - if (CAfile && !*CAfile) CAfile = NULL; - if (CAdir && !*CAdir) CAdir = NULL; - if (DHparams && !*DHparams) DHparams = NULL; + if (cert && !*cert) cert = NULL; + if (key && !*key) key = NULL; + if (certfile && !*certfile) certfile = NULL; + if (keyfile && !*keyfile) keyfile = NULL; + if (ciphers && !*ciphers) ciphers = NULL; + if (CAfile && !*CAfile) CAfile = NULL; + if (CAdir && !*CAdir) CAdir = NULL; + if (DHparams && !*DHparams) DHparams = NULL; /* new SSL state */ statePtr = (State *) ckalloc((unsigned) sizeof(State)); @@ -871,8 +896,9 @@ } ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx; } else { - if ((ctx = CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers, - DHparams)) == (SSL_CTX*)0) { + if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, + cert, key_len, cert_len, CAdir, CAfile, ciphers, + DHparams)) == (SSL_CTX*)0) { Tls_Free((char *) statePtr); return TCL_ERROR; } @@ -886,6 +912,14 @@ * We only want to adjust the buffering in pre-v2 channels, where * each channel in the stack maintained its own buffers. */ + Tcl_DStringInit(&upperChannelTranslation); + Tcl_DStringInit(&upperChannelBlocking); + Tcl_DStringInit(&upperChannelEOFChar); + Tcl_DStringInit(&upperChannelEncoding); + Tcl_GetChannelOption(interp, chan, "-eofchar", &upperChannelEOFChar); + Tcl_GetChannelOption(interp, chan, "-encoding", &upperChannelEncoding); + Tcl_GetChannelOption(interp, chan, "-translation", &upperChannelTranslation); + Tcl_GetChannelOption(interp, chan, "-blocking", &upperChannelBlocking); Tcl_SetChannelOption(interp, chan, "-translation", "binary"); Tcl_SetChannelOption(interp, chan, "-blocking", "true"); dprintf("Consuming Tcl channel %s", Tcl_GetChannelName(chan)); @@ -899,6 +933,11 @@ return TCL_ERROR; } + Tcl_SetChannelOption(interp, statePtr->self, "-translation", Tcl_DStringValue(&upperChannelTranslation)); + Tcl_SetChannelOption(interp, statePtr->self, "-encoding", Tcl_DStringValue(&upperChannelEncoding)); + Tcl_SetChannelOption(interp, statePtr->self, "-eofchar", Tcl_DStringValue(&upperChannelEOFChar)); + Tcl_SetChannelOption(interp, statePtr->self, "-blocking", Tcl_DStringValue(&upperChannelBlocking)); + /* * SSL Initialization */ @@ -1027,11 +1066,17 @@ */ static SSL_CTX * -CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers, DHparams) +CTX_Init(statePtr, isServer, proto, keyfile, certfile, key, cert, + key_len, cert_len, CAdir, CAfile, ciphers, DHparams) State *statePtr; + int isServer; int proto; - char *key; - char *cert; + char *keyfile; + char *certfile; + unsigned char *key; + unsigned char *cert; + int key_len; + int cert_len; char *CAdir; char *CAfile; char *ciphers; @@ -1042,6 +1087,7 @@ Tcl_DString ds; Tcl_DString ds1; int off = 0; + int load_private_key; const SSL_METHOD *method; dprintf("Called"); @@ -1082,6 +1128,12 @@ return (SSL_CTX *)0; } #endif +#if defined(NO_TLS1_3) + if (ENABLED(proto, TLS_PROTO_TLS1_3)) { + Tcl_AppendResult(interp, "protocol not supported", NULL); + return (SSL_CTX *)0; + } +#endif switch (proto) { #if !defined(NO_SSL2) @@ -1109,8 +1161,22 @@ method = TLSv1_2_method (); break; #endif +#if !defined(NO_TLS1_3) + case TLS_PROTO_TLS1_3: + /* + * The version range is constrained below, + * after the context is created. Use the + * generic method here. + */ + method = TLS_method (); + break; +#endif default: +#ifdef HAVE_TLS_METHOD + method = TLS_method (); +#else method = SSLv23_method (); +#endif #if !defined(NO_SSL2) off |= (ENABLED(proto, TLS_PROTO_SSL2) ? 0 : SSL_OP_NO_SSLv2); #endif @@ -1126,10 +1192,24 @@ #if !defined(NO_TLS1_2) off |= (ENABLED(proto, TLS_PROTO_TLS1_2) ? 0 : SSL_OP_NO_TLSv1_2); #endif +#if !defined(NO_TLS1_3) + off |= (ENABLED(proto, TLS_PROTO_TLS1_3) ? 0 : SSL_OP_NO_TLSv1_3); +#endif break; } ctx = SSL_CTX_new (method); + + if (!ctx) { + return(NULL); + } + +#if !defined(NO_TLS1_3) + if (proto == TLS_PROTO_TLS1_3) { + SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION); + SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION); + } +#endif SSL_CTX_set_app_data( ctx, (VOID*)interp); /* remember the interpreter */ SSL_CTX_set_options( ctx, SSL_OP_ALL); /* all SSL bug workarounds */ @@ -1187,59 +1267,95 @@ #endif /* set our certificate */ - if (cert != NULL) { + load_private_key = 0; + if (certfile != NULL) { + load_private_key = 1; + Tcl_DStringInit(&ds); - if (SSL_CTX_use_certificate_file(ctx, F2N( cert, &ds), + if (SSL_CTX_use_certificate_file(ctx, F2N( certfile, &ds), SSL_FILETYPE_PEM) <= 0) { Tcl_DStringFree(&ds); Tcl_AppendResult(interp, - "unable to set certificate file ", cert, ": ", + "unable to set certificate file ", certfile, ": ", REASON(), (char *) NULL); SSL_CTX_free(ctx); return (SSL_CTX *)0; } - - /* get the private key associated with this certificate */ - if (key == NULL) key=cert; - - if (SSL_CTX_use_PrivateKey_file(ctx, F2N( key, &ds), - SSL_FILETYPE_PEM) <= 0) { + } else if (cert != NULL) { + load_private_key = 1; + if (SSL_CTX_use_certificate_ASN1(ctx, cert_len, cert) <= 0) { Tcl_DStringFree(&ds); - /* flush the passphrase which might be left in the result */ - Tcl_SetResult(interp, NULL, TCL_STATIC); Tcl_AppendResult(interp, - "unable to set public key file ", key, " ", + "unable to set certificate: ", REASON(), (char *) NULL); SSL_CTX_free(ctx); return (SSL_CTX *)0; } - Tcl_DStringFree(&ds); - /* Now we know that a key and cert have been set against - * the SSL context */ - if (!SSL_CTX_check_private_key(ctx)) { - Tcl_AppendResult(interp, - "private key does not match the certificate public key", - (char *) NULL); - SSL_CTX_free(ctx); - return (SSL_CTX *)0; - } } else { - cert = (char*)X509_get_default_cert_file(); + certfile = (char*)X509_get_default_cert_file(); - if (SSL_CTX_use_certificate_file(ctx, cert, + if (SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM) <= 0) { #if 0 Tcl_DStringFree(&ds); Tcl_AppendResult(interp, - "unable to use default certificate file ", cert, ": ", + "unable to use default certificate file ", certfile, ": ", REASON(), (char *) NULL); SSL_CTX_free(ctx); return (SSL_CTX *)0; #endif } } - + + /* set our private key */ + if (load_private_key) { + if (keyfile == NULL && key == NULL) { + keyfile = certfile; + } + + if (keyfile != NULL) { + /* get the private key associated with this certificate */ + if (keyfile == NULL) { + keyfile = certfile; + } + + if (SSL_CTX_use_PrivateKey_file(ctx, F2N( keyfile, &ds), SSL_FILETYPE_PEM) <= 0) { + Tcl_DStringFree(&ds); + /* flush the passphrase which might be left in the result */ + Tcl_SetResult(interp, NULL, TCL_STATIC); + Tcl_AppendResult(interp, + "unable to set public key file ", keyfile, " ", + REASON(), (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } + + Tcl_DStringFree(&ds); + } else if (key != NULL) { + if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, ctx, key,key_len) <= 0) { + Tcl_DStringFree(&ds); + /* flush the passphrase which might be left in the result */ + Tcl_SetResult(interp, NULL, TCL_STATIC); + Tcl_AppendResult(interp, + "unable to set public key: ", + REASON(), (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } + } + /* Now we know that a key and cert have been set against + * the SSL context */ + if (!SSL_CTX_check_private_key(ctx)) { + Tcl_AppendResult(interp, + "private key does not match the certificate public key", + (char *) NULL); + SSL_CTX_free(ctx); + return (SSL_CTX *)0; + } + } + + /* Set verification CAs */ Tcl_DStringInit(&ds); Tcl_DStringInit(&ds1); if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CAdir, &ds1)) || @@ -1256,6 +1372,7 @@ } /* https://sourceforge.net/p/tls/bugs/57/ */ + /* XXX:TODO: Let the user supply values here instead of something that exists on the filesystem */ if ( CAfile != NULL ) { STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file( F2N(CAfile, &ds) ); if ( certNames != NULL ) { @@ -1351,6 +1468,12 @@ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_cipher(statePtr->ssl), -1)); } + + Tcl_ListObjAppendElement(interp, objPtr, + Tcl_NewStringObj("version", -1)); + Tcl_ListObjAppendElement(interp, objPtr, + Tcl_NewStringObj(SSL_get_version(statePtr->ssl), -1)); + Tcl_SetObjResult( interp, objPtr); return TCL_OK; clientData = clientData; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tcltls-1.7.14/tls.htm new/tcltls-1.7.22/tls.htm --- old/tcltls-1.7.14/tls.htm 2017-11-08 16:01:00.000000000 +0100 +++ new/tcltls-1.7.22/tls.htm 2020-10-12 22:40:18.000000000 +0200 @@ -20,7 +20,7 @@ <dd><a href="#SYNOPSIS">SYNOPSIS</a> </dd> <dd><dl> <dd><b>package require Tcl </b><em>?8.4?</em></dd> - <dd><b>package require tls </b><em>?1.7.14?</em></dd> + <dd><b>package require tls </b><em>?1.7.22?</em></dd> <dt> </dt> <dd><b>tls::init </b><i>?options?</i> </dd> <dd><b>tls::socket </b><em>?options? host port</em></dd> @@ -51,7 +51,7 @@ <h3><a name="SYNOPSIS">SYNOPSIS</a></h3> <p><b>package require Tcl 8.4</b><br> -<b>package require tls 1.7.14</b><br> +<b>package require tls 1.7.22</b><br> <br> <a href="#tls::init"><b>tls::init </b><i>?options?</i><br> </a><a href="#tls::socket"><b>tls::socket </b><em>?options? host @@ -147,6 +147,11 @@ server channels.</dd> <dt><strong>sbits</strong> <em>n</em></dt> <dd>The number of bits used for the session key.</dd> + <dt><strong>certificate</strong> <em>n</em></dt> + <dd>The PEM encoded certificate.</dd> + <dt><strong>version</strong> <em>value</em></dt> + <dd>The protocol version used for the connection: + SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, unknown</dd> </dl> </blockquote> @@ -165,7 +170,9 @@ <dt><strong>-cafile </strong><em>filename</em></dt> <dd>Provide the CA file.</dd> <dt><strong>-certfile</strong> <em>filename</em></dt> - <dd>Provide the certificate to use.</dd> + <dd>Provide the name of a file containing certificate to use.</dd> + <dt><strong>-cert</strong> <em>filename</em></dt> + <dd>Provide the contents of a certificate to use, as a DER encoded binary value (X.509 DER).</dd> <dt><strong>-cipher </strong><em>string</em></dt> <dd>Provide the cipher suites to use. Syntax is as per OpenSSL.</dd> @@ -183,6 +190,8 @@ <dt><strong>-keyfile</strong> <em>filename</em></dt> <dd>Provide the private key file. (<strong>default</strong>: value of -certfile)</dd> + <dt><strong>-key</strong> <em>filename</em></dt> + <dd>Provide the private key to use as a DER encoded value (PKCS#1 DER)</dd> <dt><strong>-model</strong> <em>channel</em></dt> <dd>This will force this channel to share the same <em><strong>SSL_CTX</strong></em> structure as the specified <em>channel</em>, and @@ -221,6 +230,8 @@ <dd>Enable use of TLS v1.1 (<strong>default</strong>: <em>true</em>)</dd> <dt>-<strong>tls1.2</strong> <em>bool</em></dt> <dd>Enable use of TLS v1.2 (<strong>default</strong>: <em>true</em>)</dd> + <dt>-<strong>tls1.3</strong> <em>bool</em></dt> + <dd>Enable use of TLS v1.3 (<strong>default</strong>: <em>true</em>)</dd> </dl> </blockquote> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tcltls-1.7.14/tls.tcl new/tcltls-1.7.22/tls.tcl --- old/tcltls-1.7.14/tls.tcl 2017-11-08 16:00:28.000000000 +0100 +++ new/tcltls-1.7.22/tls.tcl 2020-10-12 22:39:22.000000000 +0200 @@ -34,10 +34,12 @@ {* -type sopts 1} {* -cadir iopts 1} {* -cafile iopts 1} + {* -cert iopts 1} {* -certfile iopts 1} {* -cipher iopts 1} {* -command iopts 1} {* -dhparams iopts 1} + {* -key iopts 1} {* -keyfile iopts 1} {* -password iopts 1} {* -request iopts 1} @@ -49,6 +51,7 @@ {* -tls1 iopts 1} {* -tls1.1 iopts 1} {* -tls1.2 iopts 1} + {* -tls1.3 iopts 1} } # tls::socket and tls::init options as a humane readable string diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tcltls-1.7.14/tlsBIO.c new/tcltls-1.7.22/tlsBIO.c --- old/tcltls-1.7.14/tlsBIO.c 2017-11-08 16:00:28.000000000 +0100 +++ new/tcltls-1.7.22/tlsBIO.c 2020-10-12 22:39:22.000000000 +0200 @@ -264,7 +264,7 @@ break; case BIO_CTRL_PENDING: dprintf("Got BIO_CTRL_PENDING"); - ret = ((chan) ? 1 : 0); + ret = ((chan) ? Tcl_InputBuffered(chan) : 0); dprintf("BIO_CTRL_PENDING(%d)", (int) ret); break; case BIO_CTRL_WPENDING: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tcltls-1.7.14/tlsIO.c new/tcltls-1.7.22/tlsIO.c --- old/tcltls-1.7.14/tlsIO.c 2017-11-08 16:00:28.000000000 +0100 +++ new/tcltls-1.7.22/tlsIO.c 2020-10-12 22:39:22.000000000 +0200 @@ -745,14 +745,15 @@ statePtr->timer = (Tcl_TimerToken) NULL; } - if ((mask & TCL_READABLE) && Tcl_InputBuffered(statePtr->self) > 0) { - /* - * There is interest in readable events and we actually have - * data waiting, so generate a timer to flush that. - */ - dprintf("Creating a new timer since data appears to be waiting"); - statePtr->timer = Tcl_CreateTimerHandler(TLS_TCL_DELAY, - TlsChannelHandlerTimer, (ClientData) statePtr); + if (mask & TCL_READABLE) { + if (Tcl_InputBuffered(statePtr->self) > 0 || BIO_ctrl_pending(statePtr->bio) > 0) { + /* + * There is interest in readable events and we actually have + * data waiting, so generate a timer to flush that. + */ + dprintf("Creating a new timer since data appears to be waiting"); + statePtr->timer = Tcl_CreateTimerHandler(TLS_TCL_DELAY, TlsChannelHandlerTimer, (ClientData) statePtr); + } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tcltls-1.7.14/tlsX509.c new/tcltls-1.7.22/tlsX509.c --- old/tcltls-1.7.14/tlsX509.c 2017-11-08 16:00:28.000000000 +0100 +++ new/tcltls-1.7.22/tlsX509.c 2020-10-12 22:39:22.000000000 +0200 @@ -84,6 +84,8 @@ *------------------------------------------------------* */ +#define CERT_STR_SIZE 16384 + Tcl_Obj* Tls_NewX509Obj( interp, cert) Tcl_Interp *interp; @@ -98,7 +100,8 @@ char serial[BUFSIZ]; char notBefore[BUFSIZ]; char notAfter[BUFSIZ]; - char certStr[BUFSIZ]; + char certStr[CERT_STR_SIZE], *certStr_p; + int certStr_len, toRead; #ifndef NO_SSL_SHA int shai; char sha_hash_ascii[SHA_DIGEST_LENGTH * 2 + 1]; @@ -136,9 +139,23 @@ (void)BIO_flush(bio); if (PEM_write_bio_X509(bio, cert)) { - n = BIO_read(bio, certStr, min(BIO_pending(bio), BUFSIZ - 1)); - n = max(n, 0); - certStr[n] = 0; + certStr_p = certStr; + certStr_len = 0; + while (1) { + toRead = min(BIO_pending(bio), CERT_STR_SIZE - certStr_len - 1); + toRead = min(toRead, BUFSIZ); + if (toRead == 0) { + break; + } + dprintf("Reading %i bytes from the certificate...", toRead); + n = BIO_read(bio, certStr_p, toRead); + if (n <= 0) { + break; + } + certStr_len += n; + certStr_p += n; + } + *certStr_p = '\0'; (void)BIO_flush(bio); }
