Bug#338446: tcltls doesn't load OpenSSL configuration file and has no other way to support engines.

Thu, 10 Nov 2005 02:33:04 -0800 

Package: tcltls
Version: 1.5.0-2
Severity: wishlist
Tags: patch


Newer versions of OpenSSL (as already included in Debian) have ability
to use alternate, i.e. hardware implementation of crypto algorithms via
engine modules which can be loaded explicitely or specified in OpenSSL
configuration file. 

This functionality is desirable for any cryptographic application.

Also configuration file can describe default parameters for certificate
requests (such as country or organization).

tcltls has undocumented command ::tls::misc req, which allows to
generate certificate requests, but doesn't use configuration files at
all.

This patch adds two new subcommands for ::tls::misc - config and engine
which allows to load configuration files and load engines explicitely

Patch is also submitted upstream as #1353033 in SF request tracker. 

http://sourceforge.net/tracker/index.php?func=detail&aid=1353033&group_id=13248&atid=313248



-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.27-p3
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)

Versions of packages tcltls depends on:
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  libssl0.9.7                 0.9.7e-3     SSL shared libraries
ii  tcl8.3                      8.3.5-4      Tcl (the Tool Command Language) v8
ii  tcl8.4                      8.4.9-1      Tcl (the Tool Command Language) v8

-- no debconf information

--- tcltls-1.5.0.orig/tls.c
+++ tcltls-1.5.0/tls.c
@@ -26,7 +26,12 @@
 #include "tlsInt.h"
 #include "tclOpts.h"
 #include <stdlib.h>
-
+#if OPENSSL_VERSION_NUMBER >= 0x0090800
+#include <openssl/conf.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+#endif
 /*
  * External functions
  */
@@ -1155,8 +1160,10 @@
  *	A standard Tcl result.
  *
  * Side effects:
- *	None.
- *
+ *   req - none
+ *   config - Openssl configuration file is loaded	
+ *   engine - specifig engine is loaded or configured
+ *   
  *-------------------------------------------------------------------
  */
 static int
@@ -1166,8 +1173,22 @@
     int objc;
     Tcl_Obj	*CONST objv[];
 {
-    const char *commands [] = { "req", NULL };
-    enum command { C_REQ, C_DUMMY };
+    const char *commands [] = { "req", 
+#if OPENSSL_VERSION_NUMBER >= 0x0090800L		
+		"config", 
+#ifndef OPENSSL_NO_ENGINE		
+		"engine", 
+#endif		
+#endif		
+		NULL };
+    enum command { C_REQ, 
+#if OPENSSL_VERSION_NUMBER >= 0x0090800L		
+		C_CONFIG,
+#ifndef OPENSSL_NO_ENGINE		
+		C_ENGINE, 
+#endif		
+#endif		
+		C_DUMMY };
     int cmd;
 
     if (objc < 2) {
@@ -1302,6 +1323,48 @@
 	    }
 	}
 	break;
+#if OPENSSL_VERSION_NUMBER >= 0x0090800L	
+	case C_CONFIG:
+		if (objc<2 || objc>3) {
+			Tcl_WrongNumArgs(interp,2,objv,"?filename?");
+			return TCL_ERROR;
+		} else if (objc == 2) {
+			OPENSSL_config(NULL);
+		} else {
+			OPENSSL_config(Tcl_GetString(objv[2]));
+		}	
+	break;	
+#ifndef OPENSSL_NO_ENGINE	
+	case C_ENGINE:
+		{ ENGINE *e;
+		static int loaded_engines = 0;
+		if (objc!=3) {
+			Tcl_WrongNumArgs(interp,2,objv,"engine_id");
+			return TCL_ERROR;
+		}
+		if (!loaded_engines) {
+			ENGINE_load_builtin_engines();
+			loaded_engines=1;
+		}	
+		if ((e= ENGINE_by_id(Tcl_GetString(objv[2])))==NULL) {
+			Tcl_AppendResult(interp,"failed to load engine ",
+					Tcl_GetString(objv[2]),
+					"\n",ERR_error_string(ERR_get_error(),NULL),
+					NULL);
+			return TCL_ERROR;
+		}
+		if (!ENGINE_set_default(e,ENGINE_METHOD_ALL)) {
+			Tcl_AppendResult(interp,"Failed to enable engine ",
+					Tcl_GetString(objv[2]),
+					"\n",ERR_error_string(ERR_get_error(),NULL),
+					NULL);
+			return TCL_ERROR;
+		}	
+		ENGINE_free(e);
+		}
+	break;
+#endif	
+#endif	
     }
     return TCL_OK;
 }
--- tcltls-1.5.0.orig/tls.htm
+++ tcltls-1.5.0/tls.htm
@@ -31,6 +31,7 @@
             <dd><b>tls::import</b><em> channel ?options?</em></dd>
             <dd><b>tls::ciphers </b><em>protocol ?verbose?</em></dd>
             <dd><b>tls::version</b></dd>
+			<dd><b>tls::misc</b> <em>subcommand ?args?</em></dd>
         </dl>
     </dd>
     <dd><a href="#COMMANDS">COMMANDS</a></dd>
@@ -62,7 +63,8 @@
 <a href="#tls::import"><b>tls::import </b><i>channel ?options?</i></a><br>
 <a href="#tls::ciphers protocol ?verbose?"><strong>tls::ciphers</strong>
 <em>protocol ?verbose?</em></a><br>
-<a href="#tls::version"><b>tls::version</b></a>
+<a href="#tls::version"><b>tls::version</b></a><br>
+<a href="#tls::misc"><b>tls::misc </b><i>subcommand ?args?</i></a><br>
 </p>
 
 <h3><a name="DESCRIPTION">DESCRIPTION</a></h3>
@@ -223,7 +225,62 @@
     <dt><a name="tls::version"><strong>tls::version</strong></a></dt>
     <dd>Returns the version string defined by OpenSSL.</dd>
 </dl>
-
+<dl><tt><a name="tls::misc"><strong>tls::misc</strong></a></tt></dt>
+<dd>Miscellaneous openssl functions. This command provides functions
+which are not directly related to TLS, but neccessary for proper
+operations. Following subcommands are supportd
+<dl>
+<dt><b>rec</b> <em>keysize keyfile certfile ?info?</em></dt>
+<p>
+Generates private key and certificate request in the keyfile and
+certfile. Currently only RSA keys are supported. Keysize is specified in
+bits. It is typically
+1024, because 512-bit keys are totally insecure, and 2048 bits too
+computational expensive.
+</p>
+<p>
+This command is here, because some tls applications, notably web
+browsers should have ability to generate requests for client
+certificates.
+</p>
+<p>
+Optional <em>info</em> argument is the list of key-value pairs which
+can contain following request attributes:
+<ol>
+<li><b>days</b> - how long certificate should be valid
+<li><b>serial</b> - serial number of certificate
+<li><b>C</b> - Country part of certificate subject
+<LI><b>ST</b> - State part of certificate subject
+<LI><b>L</b> -locality
+<LI><b>O</b> - organization
+<LI><b>OU</b> - organization unit
+<LI><b>CN</B> - Common Name
+<LI><b>Email</B> email address of certificate subject
+</OL>
+Default values for these options are obtained from OpenSSL configuration
+file if one is loaded by <b>tls::misc config</b>.
+<dd>
+<dt><b>config</b> <em>?filename?</em>
+<dd>Loads an OpenSSL configuration file. If no <em>filename</em>
+argument is provided, loads default configuration file, which is
+hardcoded into OpenSSL. Otherwise loads specified file. This command
+doesn't report error if file doesn't exist.
+</dd>
+<dt><b>engine</b> <em>engine_id</em>
+<dd><p>Loads alternate (hardware) implementation of cryptoalgorithms -
+engine in OpenSSL terminology and makes this implementation default for
+all algorithms, supported by particular engine.
+</p>
+<p>
+For now there is no way to send control commands to engine and specify
+path to dynamically loadable engine explicitely. So, only builtin
+engines and engines located in the default OpenSSL engine directory
+could be loaded.
+</p>
+</dd>
+</dl>
+</dd>
+</dl>
 <h3><a name="CALLBACK OPTIONS">CALLBACK OPTIONS</a></h3>
 
 <p>

Reply via email to