Overview
Comment: | Register ALPN callbacks only if protocols defined. Catch more errors in callbacks, return after set return values. |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | errors_and_callbacks |
Files: | files | file ages | folders |
SHA3-256: |
3b2e00d8a57b37484940863ca98b475b |
User & Date: | bohagan on 2023-07-16 16:02:30 |
Other Links: | branch diff | manifest | tags |
Context
2023-07-16
| ||
17:26 | Added alert type to info callback parameters and refactored code. check-in: 0aa8ad9487 user: bohagan tags: errors_and_callbacks | |
16:02 | Register ALPN callbacks only if protocols defined. Catch more errors in callbacks, return after set return values. check-in: 3b2e00d8a5 user: bohagan tags: errors_and_callbacks | |
15:21 | Created error handler and callback updates branch check-in: 0d1d711916 user: bohagan tags: errors_and_callbacks | |
Changes
Modified generic/tls.c
from [55d19f65b6]
to [459b6052cb].
︙ | ︙ | |||
499 500 501 502 503 504 505 506 507 508 509 510 511 512 | /* *------------------------------------------------------------------- * * ALPN Callback for Servers -- * * Perform server-side protocol (http/1.1, h2, h3, etc.) selection for the * incoming connection. Called after Hello and server callbacks * * Results: * None * * Side effects: * Calls callback (if defined) * | > | 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 | /* *------------------------------------------------------------------- * * ALPN Callback for Servers -- * * Perform server-side protocol (http/1.1, h2, h3, etc.) selection for the * incoming connection. Called after Hello and server callbacks * Where 'out' is selected protocol and 'in' is the peer advertised list. * * Results: * None * * Side effects: * Calls callback (if defined) * |
︙ | ︙ | |||
525 526 527 528 529 530 531 | State *statePtr = (State*)arg; Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; int code, res; dprintf("Called"); | < < | | > > > > | 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 | State *statePtr = (State*)arg; Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; int code, res; dprintf("Called"); if (ssl == NULL || arg == NULL) { return SSL_TLSEXT_ERR_NOACK; } /* Select protocol */ if (SSL_select_next_proto(out, outlen, statePtr->protos, statePtr->protos_len, in, inlen) == OPENSSL_NPN_NEGOTIATED) { res = SSL_TLSEXT_ERR_OK; } else { /* No overlap, so use first client protocol */ res = SSL_TLSEXT_ERR_NOACK; } if (statePtr->callback == (Tcl_Obj*)NULL) { return SSL_TLSEXT_ERR_OK; } cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("alpn", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(*out, -1)); Tcl_Preserve((ClientData) interp); Tcl_Preserve((ClientData) statePtr); |
︙ | ︙ | |||
598 599 600 601 602 603 604 | Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; int code; char *servername = NULL; dprintf("Called"); | < < | > > > > | 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 | Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; int code; char *servername = NULL; dprintf("Called"); if (ssl == NULL || arg == NULL) { return SSL_TLSEXT_ERR_NOACK; } servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); if (!servername || servername[0] == '\0') { return SSL_TLSEXT_ERR_NOACK; } if (statePtr->callback == (Tcl_Obj*)NULL) { return SSL_TLSEXT_ERR_OK; } cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("sni", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername , -1)); Tcl_Preserve((ClientData) interp); Tcl_Preserve((ClientData) statePtr); |
︙ | ︙ | |||
671 672 673 674 675 676 677 | const unsigned char *p; size_t len, remaining; dprintf("Called"); if (statePtr->callback == (Tcl_Obj*)NULL) { return SSL_CLIENT_HELLO_SUCCESS; | | | 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 | const unsigned char *p; size_t len, remaining; dprintf("Called"); if (statePtr->callback == (Tcl_Obj*)NULL) { return SSL_CLIENT_HELLO_SUCCESS; } else if (ssl == NULL || arg == NULL) { return SSL_CLIENT_HELLO_ERROR; } /* Get names */ if (!SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &p, &remaining) || remaining <= 2) { return SSL_CLIENT_HELLO_ERROR; } |
︙ | ︙ | |||
1352 1353 1354 1355 1356 1357 1358 | /* Create Tcl_Channel BIO Handler */ statePtr->p_bio = BIO_new_tcl(statePtr, BIO_NOCLOSE); statePtr->bio = BIO_new(BIO_f_ssl()); if (server) { /* Server callbacks */ | < > > > | 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 | /* Create Tcl_Channel BIO Handler */ statePtr->p_bio = BIO_new_tcl(statePtr, BIO_NOCLOSE); statePtr->bio = BIO_new(BIO_f_ssl()); if (server) { /* Server callbacks */ SSL_CTX_set_tlsext_servername_arg(statePtr->ctx, (void *)statePtr); SSL_CTX_set_tlsext_servername_callback(statePtr->ctx, SNICallback); SSL_CTX_set_client_hello_cb(statePtr->ctx, HelloCallback, (void *)statePtr); if (statePtr->protos != NULL) { SSL_CTX_set_alpn_select_cb(statePtr->ctx, ALPNCallback, (void *)statePtr); } /* Enable server to send cert request after handshake (TLS 1.3 only) */ if (request && post_handshake) { SSL_verify_client_post_handshake(statePtr->ssl); } statePtr->flags |= TLS_TCL_SERVER; |
︙ | ︙ | |||
1590 1591 1592 1593 1594 1595 1596 | SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); } SSL_CTX_set_app_data(ctx, (void*)interp); /* remember the interpreter */ SSL_CTX_set_options(ctx, SSL_OP_ALL); /* all SSL bug workarounds */ SSL_CTX_set_options(ctx, off); /* disable protocol versions */ #if OPENSSL_VERSION_NUMBER < 0x10101000L | | | 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 | SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); } SSL_CTX_set_app_data(ctx, (void*)interp); /* remember the interpreter */ SSL_CTX_set_options(ctx, SSL_OP_ALL); /* all SSL bug workarounds */ SSL_CTX_set_options(ctx, off); /* disable protocol versions */ #if OPENSSL_VERSION_NUMBER < 0x10101000L SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); /* handle new handshakes in background. On by default in OpenSSL 1.1.1. */ #endif SSL_CTX_sess_set_cache_size(ctx, 128); /* Set user defined ciphers, cipher suites, and security level */ if ((ciphers != NULL) && !SSL_CTX_set_cipher_list(ctx, ciphers)) { Tcl_AppendResult(interp, "Set ciphers failed: No valid ciphers", (char *) NULL); SSL_CTX_free(ctx); |
︙ | ︙ |