@@ -32,13 +32,10 @@ /* Min OpenSSL version */ #if OPENSSL_VERSION_NUMBER < 0x10101000L #error "Only OpenSSL v1.1.1 or later is supported" #endif -/* - * External functions - */ /* * Forward declarations */ @@ -340,11 +337,11 @@ * behavior when the SSL_VERIFY_PEER flag is set. This is called * whenever a certificate is inspected or decided invalid. Called for * each certificate in the cert chain. * * Checks: - * certificate chain is checked starting with the deepest nesting level + * The certificate chain is checked starting with the deepest nesting level * (the root CA certificate) and worked upward to the peer's certificate. * All signatures are valid, current time is within first and last validity time. * Check that the certificate is issued by the issuer certificate issuer. * Check the revocation status for each certificate. * Check the validity of the given CRL and the cert revocation status. @@ -420,11 +417,11 @@ /* *------------------------------------------------------------------- * * Tls_Error -- * - * Calls callback with list of errors. + * Calls callback with error message. * * Side effects: * The err field of the currently operative State is set * to a string describing the SSL negotiation failure reason * @@ -495,13 +492,13 @@ /* *------------------------------------------------------------------- * * Password Callback -- * - * Called when a password for a private key loading/storing a PEM - * certificate with encryption. Evals callback script and returns - * the result as the password string in buf. + * Called when a password is needed for a private key when loading + * or storing a PEM certificate with encryption. Evals callback + * script and returns the result as the password string in buf. * * Results: * None * * Side effects: @@ -516,19 +513,24 @@ PasswordCallback(char *buf, int size, int rwflag, void *udata) { State *statePtr = (State *) udata; Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; int code; + Tcl_Size len; dprintf("Called"); /* If no callback, use default callback */ if (statePtr->password == NULL) { if (Tcl_EvalEx(interp, "tls::password", -1, TCL_EVAL_GLOBAL) == TCL_OK) { - char *ret = (char *) Tcl_GetStringResult(interp); - strncpy(buf, ret, (size_t) size); - return (int)strlen(ret); + char *ret = (char *) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); + if (len > (Tcl_Size) size-1) { + len = (Tcl_Size) size-1; + } + strncpy(buf, ret, (size_t) len); + buf[len] = '\0'; + return (int) len; } else { return -1; } } @@ -555,11 +557,10 @@ Tcl_Release((ClientData) statePtr); /* If successful, pass back password string and truncate if too long */ if (code == TCL_OK) { - Tcl_Size len; char *ret = (char *) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); if (len > (Tcl_Size) size-1) { len = (Tcl_Size) size-1; } strncpy(buf, ret, (size_t) len); @@ -631,10 +632,12 @@ /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); EvalCallback(interp, statePtr, cmdPtr); Tcl_DecrRefCount(cmdPtr); + + /* Return 0 for now until session handling is complete */ return 0; } /* *------------------------------------------------------------------- @@ -1559,11 +1562,11 @@ memcpy(p, str, (size_t) len); p += len; } /* SSL_set_alpn_protos makes a copy of the protocol-list */ - /* Note: This functions reverses the return value convention */ + /* Note: This function reverses the return value convention */ if (SSL_set_alpn_protos(statePtr->ssl, protos, protos_len)) { Tcl_AppendResult(interp, "Set ALPN protocols failed: ", GET_ERR_REASON(), (char *) NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char *) NULL); Tls_Free((char *) statePtr); ckfree(protos);