Overview
Comment: | In password callback, added check for password > max size. Also added null terminator. |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
3866a025e0d0aa35865a2372f19a0933 |
User & Date: | bohagan on 2024-02-28 04:42:13 |
Other Links: | manifest | tags |
Context
2024-03-02
| ||
00:02 | Added check for ssl.h file when checking for valid --opensslincludedir path. Added status message with find ssl.h result. check-in: 65406cadf6 user: bohagan tags: trunk | |
2024-02-28
| ||
05:26 | Merged changes from master check-in: bfb516156c user: bohagan tags: crypto | |
04:42 | In password callback, added check for password > max size. Also added null terminator. check-in: 3866a025e0 user: bohagan tags: trunk | |
04:25 | Updated acinclude.m4 file to add include path check for Mac installs. Corrected check for not null to instead check for not zero length variables. Fixed variable delimiter syntax error. check-in: 881da2c51a user: bohagan tags: trunk | |
Changes
Modified generic/tls.c
from [0e25730e3b]
to [074ad76419].
︙ | ︙ | |||
30 31 32 33 34 35 36 | #include <openssl/safestack.h> /* Min OpenSSL version */ #if OPENSSL_VERSION_NUMBER < 0x10101000L #error "Only OpenSSL v1.1.1 or later is supported" #endif | < < < | 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | #include <openssl/safestack.h> /* Min OpenSSL version */ #if OPENSSL_VERSION_NUMBER < 0x10101000L #error "Only OpenSSL v1.1.1 or later is supported" #endif /* * Forward declarations */ #define F2N(key, dsp) \ (((key) == NULL) ? (char *) NULL : \ |
︙ | ︙ | |||
338 339 340 341 342 343 344 | * * Monitors SSL certificate validation process. Used to control the * behavior when the SSL_VERIFY_PEER flag is set. This is called * whenever a certificate is inspected or decided invalid. Called for * each certificate in the cert chain. * * Checks: | | | 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 | * * Monitors SSL certificate validation process. Used to control the * behavior when the SSL_VERIFY_PEER flag is set. This is called * whenever a certificate is inspected or decided invalid. Called for * each certificate in the cert chain. * * Checks: * The certificate chain is checked starting with the deepest nesting level * (the root CA certificate) and worked upward to the peer's certificate. * All signatures are valid, current time is within first and last validity time. * Check that the certificate is issued by the issuer certificate issuer. * Check the revocation status for each certificate. * Check the validity of the given CRL and the cert revocation status. * Check the policies of all the certificates * |
︙ | ︙ | |||
418 419 420 421 422 423 424 | } /* *------------------------------------------------------------------- * * Tls_Error -- * | | | 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 | } /* *------------------------------------------------------------------- * * Tls_Error -- * * Calls callback with error message. * * Side effects: * The err field of the currently operative State is set * to a string describing the SSL negotiation failure reason * *------------------------------------------------------------------- */ |
︙ | ︙ | |||
493 494 495 496 497 498 499 | } /* *------------------------------------------------------------------- * * Password Callback -- * | | | | > | > > > | > | | 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 | } /* *------------------------------------------------------------------- * * Password Callback -- * * Called when a password is needed for a private key when loading * or storing a PEM certificate with encryption. Evals callback * script and returns the result as the password string in buf. * * Results: * None * * Side effects: * Calls callback (if defined) * * Returns: * Password size in bytes or -1 for an error. * *------------------------------------------------------------------- */ static int PasswordCallback(char *buf, int size, int rwflag, void *udata) { State *statePtr = (State *) udata; Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; int code; Tcl_Size len; dprintf("Called"); /* If no callback, use default callback */ if (statePtr->password == NULL) { if (Tcl_EvalEx(interp, "tls::password", -1, TCL_EVAL_GLOBAL) == TCL_OK) { char *ret = (char *) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); if (len > (Tcl_Size) size-1) { len = (Tcl_Size) size-1; } strncpy(buf, ret, (size_t) len); buf[len] = '\0'; return (int) len; } else { return -1; } } /* Create command to eval with fn, rwflag, and size args */ cmdPtr = Tcl_DuplicateObj(statePtr->password); |
︙ | ︙ | |||
553 554 555 556 557 558 559 | } Tcl_DecrRefCount(cmdPtr); Tcl_Release((ClientData) statePtr); /* If successful, pass back password string and truncate if too long */ if (code == TCL_OK) { | < | 555 556 557 558 559 560 561 562 563 564 565 566 567 568 | } Tcl_DecrRefCount(cmdPtr); Tcl_Release((ClientData) statePtr); /* If successful, pass back password string and truncate if too long */ if (code == TCL_OK) { char *ret = (char *) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); if (len > (Tcl_Size) size-1) { len = (Tcl_Size) size-1; } strncpy(buf, ret, (size_t) len); buf[len] = '\0'; Tcl_Release((ClientData) interp); |
︙ | ︙ | |||
629 630 631 632 633 634 635 636 637 638 639 640 641 642 | Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewLongObj((long) SSL_SESSION_get_ticket_lifetime_hint(session))); /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); EvalCallback(interp, statePtr, cmdPtr); Tcl_DecrRefCount(cmdPtr); return 0; } /* *------------------------------------------------------------------- * * ALPN Callback for Servers and NPN Callback for Clients -- | > > | 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 | Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewLongObj((long) SSL_SESSION_get_ticket_lifetime_hint(session))); /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); EvalCallback(interp, statePtr, cmdPtr); Tcl_DecrRefCount(cmdPtr); /* Return 0 for now until session handling is complete */ return 0; } /* *------------------------------------------------------------------- * * ALPN Callback for Servers and NPN Callback for Clients -- |
︙ | ︙ | |||
1557 1558 1559 1560 1561 1562 1563 | char *str = Tcl_GetStringFromObj(list[j], &len); *p++ = (unsigned char) len; memcpy(p, str, (size_t) len); p += len; } /* SSL_set_alpn_protos makes a copy of the protocol-list */ | | | 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 | char *str = Tcl_GetStringFromObj(list[j], &len); *p++ = (unsigned char) len; memcpy(p, str, (size_t) len); p += len; } /* SSL_set_alpn_protos makes a copy of the protocol-list */ /* Note: This function reverses the return value convention */ if (SSL_set_alpn_protos(statePtr->ssl, protos, protos_len)) { Tcl_AppendResult(interp, "Set ALPN protocols failed: ", GET_ERR_REASON(), (char *) NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char *) NULL); Tls_Free((char *) statePtr); ckfree(protos); return TCL_ERROR; } |
︙ | ︙ |