Overview
| Comment: | Added more error messages and quoted certificate fail message. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
e3e0021e31285d229ca8391a36b52eef |
| User & Date: | bohagan on 2024-02-09 19:24:59 |
| Other Links: | manifest | tags |
Context
|
2024-02-09
| ||
| 20:06 | Updated badssl.com test cases for error message format and CA file on Unix. check-in: 347e9a4852 user: bohagan tags: trunk | |
| 19:24 | Added more error messages and quoted certificate fail message. check-in: e3e0021e31 user: bohagan tags: trunk | |
|
2024-02-05
| ||
| 00:55 | Code updates for gcc warnings check-in: 7e672606f5 user: bohagan tags: trunk | |
Changes
Modified generic/tls.c from [76576d8a94] to [675528fb5b].
| ︙ | ︙ | |||
1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 |
ret = Tls_WaitForConnect(statePtr, &err, 1);
dprintf("Tls_WaitForConnect returned: %i", ret);
if (ret < 0 && ((statePtr->flags & TLS_TCL_ASYNC) && (err == EAGAIN))) {
dprintf("Async set and err = EAGAIN");
ret = 0;
} else if (ret < 0) {
errStr = statePtr->err;
Tcl_ResetResult(interp);
Tcl_SetErrno(err);
if (!errStr || (*errStr == 0)) {
errStr = Tcl_PosixError(interp);
}
Tcl_AppendResult(interp, "handshake failed: ", errStr, (char *) NULL);
Tcl_SetErrorCode(interp, "TLS", "HANDSHAKE", "FAILED", (char *) NULL);
dprintf("Returning TCL_ERROR with handshake failed: %s", errStr);
return(TCL_ERROR);
} else {
if (err != 0) {
dprintf("Got an error with a completed handshake: err = %i", err);
}
| > > > > | 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 |
ret = Tls_WaitForConnect(statePtr, &err, 1);
dprintf("Tls_WaitForConnect returned: %i", ret);
if (ret < 0 && ((statePtr->flags & TLS_TCL_ASYNC) && (err == EAGAIN))) {
dprintf("Async set and err = EAGAIN");
ret = 0;
} else if (ret < 0) {
long result;
errStr = statePtr->err;
Tcl_ResetResult(interp);
Tcl_SetErrno(err);
if (!errStr || (*errStr == 0)) {
errStr = Tcl_PosixError(interp);
}
Tcl_AppendResult(interp, "handshake failed: ", errStr, (char *) NULL);
if ((result = SSL_get_verify_result(statePtr->ssl)) != X509_V_OK) {
Tcl_AppendResult(interp, " due to \"", X509_verify_cert_error_string(result), "\"", (char *) NULL);
}
Tcl_SetErrorCode(interp, "TLS", "HANDSHAKE", "FAILED", (char *) NULL);
dprintf("Returning TCL_ERROR with handshake failed: %s", errStr);
return(TCL_ERROR);
} else {
if (err != 0) {
dprintf("Got an error with a completed handshake: err = %i", err);
}
|
| ︙ | ︙ |
Modified generic/tlsIO.c from [226be28e03] to [388e779826].
| ︙ | ︙ | |||
162 163 164 165 166 167 168 |
dprintf("Accept or connect failed");
}
rc = SSL_get_error(statePtr->ssl, err);
backingError = ERR_get_error();
if (rc != SSL_ERROR_NONE) {
dprintf("Got error: %i (rc = %i)", err, rc);
| | | 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 |
dprintf("Accept or connect failed");
}
rc = SSL_get_error(statePtr->ssl, err);
backingError = ERR_get_error();
if (rc != SSL_ERROR_NONE) {
dprintf("Got error: %i (rc = %i)", err, rc);
dprintf("Got error: %s", ERR_reason_error_string(backingError));
}
bioShouldRetry = 0;
if (err <= 0) {
if (rc == SSL_ERROR_WANT_CONNECT || rc == SSL_ERROR_WANT_ACCEPT || rc == SSL_ERROR_WANT_READ || rc == SSL_ERROR_WANT_WRITE) {
bioShouldRetry = 1;
} else if (BIO_should_retry(statePtr->bio)) {
|
| ︙ | ︙ | |||
186 187 188 189 190 191 192 193 194 195 196 197 198 199 |
if (bioShouldRetry) {
dprintf("The I/O did not complete -- but we should try it again");
if (statePtr->flags & TLS_TCL_ASYNC) {
dprintf("Returning EAGAIN so that it can be retried later");
*errorCodePtr = EAGAIN;
return(-1);
} else {
dprintf("Doing so now");
continue;
}
}
| > | 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 |
if (bioShouldRetry) {
dprintf("The I/O did not complete -- but we should try it again");
if (statePtr->flags & TLS_TCL_ASYNC) {
dprintf("Returning EAGAIN so that it can be retried later");
*errorCodePtr = EAGAIN;
Tls_Error(statePtr, "Handshake not complete, will retry later");
return(-1);
} else {
dprintf("Doing so now");
continue;
}
}
|
| ︙ | ︙ | |||
226 227 228 229 230 231 232 |
} else if (backingError == 0 && err == -1) {
dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno());
*errorCodePtr = Tcl_GetErrno();
if (*errorCodePtr == ECONNRESET) {
*errorCodePtr = ECONNABORTED;
}
| | | > > > < < < | 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 |
} else if (backingError == 0 && err == -1) {
dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno());
*errorCodePtr = Tcl_GetErrno();
if (*errorCodePtr == ECONNRESET) {
*errorCodePtr = ECONNABORTED;
}
Tls_Error(statePtr, (char *) Tcl_ErrnoMsg(*errorCodePtr));
} else {
dprintf("I/O error occurred (backingError = %lu)", backingError);
*errorCodePtr = Tcl_GetErrno();
if (*errorCodePtr == ECONNRESET) {
*errorCodePtr = ECONNABORTED;
}
Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError));
}
statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
return(-1);
case SSL_ERROR_SSL:
/* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */
dprintf("SSL_ERROR_SSL: Got permanent fatal SSL error, aborting immediately");
if (SSL_get_verify_result(statePtr->ssl) != X509_V_OK) {
Tls_Error(statePtr, (char *) X509_verify_cert_error_string(SSL_get_verify_result(statePtr->ssl)));
}
if (backingError != 0) {
Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError));
}
statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
*errorCodePtr = ECONNABORTED;
return(-1);
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_X509_LOOKUP:
|
| ︙ | ︙ | |||
365 366 367 368 369 370 371 372 373 374 375 376 377 378 |
break;
case SSL_ERROR_SSL:
/* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */
dprintf("SSL error, indicating that the connection has been aborted");
if (backingError != 0) {
Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError));
}
*errorCodePtr = ECONNABORTED;
bytesRead = -1;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
/* Unexpected EOF from the peer for OpenSSL 3.0+ */
if (ERR_GET_REASON(backingError) == SSL_R_UNEXPECTED_EOF_WHILE_READING) {
| > > | 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 |
break;
case SSL_ERROR_SSL:
/* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */
dprintf("SSL error, indicating that the connection has been aborted");
if (backingError != 0) {
Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError));
} else {
Tls_Error(statePtr, "Unknown SSL error");
}
*errorCodePtr = ECONNABORTED;
bytesRead = -1;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
/* Unexpected EOF from the peer for OpenSSL 3.0+ */
if (ERR_GET_REASON(backingError) == SSL_R_UNEXPECTED_EOF_WHILE_READING) {
|
| ︙ | ︙ | |||
394 395 396 397 398 399 400 |
bytesRead = 0;
Tls_Error(statePtr, "EOF reached");
} else if (backingError == 0 && bytesRead == -1) {
dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno());
*errorCodePtr = Tcl_GetErrno();
bytesRead = -1;
| | | | 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 |
bytesRead = 0;
Tls_Error(statePtr, "EOF reached");
} else if (backingError == 0 && bytesRead == -1) {
dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno());
*errorCodePtr = Tcl_GetErrno();
bytesRead = -1;
Tls_Error(statePtr, (char *) Tcl_ErrnoMsg(*errorCodePtr));
} else {
dprintf("I/O error occurred (backingError = %lu)", backingError);
*errorCodePtr = Tcl_GetErrno();
bytesRead = -1;
Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError));
}
break;
case SSL_ERROR_ZERO_RETURN:
dprintf("Got SSL_ERROR_ZERO_RETURN, this means an EOF has been reached");
|
| ︙ | ︙ | |||
422 423 424 425 426 427 428 429 430 431 |
Tls_Error(statePtr, "SSL_ERROR_WANT_READ");
break;
default:
dprintf("Unknown error (err = %i), mapping to EOF", err);
*errorCodePtr = 0;
bytesRead = 0;
break;
}
| > < < < | 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 |
Tls_Error(statePtr, "SSL_ERROR_WANT_READ");
break;
default:
dprintf("Unknown error (err = %i), mapping to EOF", err);
*errorCodePtr = 0;
bytesRead = 0;
Tls_Error(statePtr, "Unknown error");
break;
}
dprintf("Input(%d) -> %d [%d]", bufSize, bytesRead, *errorCodePtr);
return(bytesRead);
}
/*
*-------------------------------------------------------------------
*
|
| ︙ | ︙ | |||
489 490 491 492 493 494 495 496 497 498 499 500 501 502 |
if (toWrite == 0) {
dprintf("zero-write");
err = BIO_flush(statePtr->bio);
if (err <= 0) {
dprintf("Flushing failed");
*errorCodePtr = EIO;
written = 0;
return(-1);
}
written = 0;
| > | 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 |
if (toWrite == 0) {
dprintf("zero-write");
err = BIO_flush(statePtr->bio);
if (err <= 0) {
dprintf("Flushing failed");
Tls_Error(statePtr, "Flush failed");
*errorCodePtr = EIO;
written = 0;
return(-1);
}
written = 0;
|
| ︙ | ︙ | |||
562 563 564 565 566 567 568 |
written = 0;
Tls_Error(statePtr, "EOF reached");
} else if (backingError == 0 && written == -1) {
dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno());
*errorCodePtr = Tcl_GetErrno();
written = -1;
| | | > > > < < < | 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 |
written = 0;
Tls_Error(statePtr, "EOF reached");
} else if (backingError == 0 && written == -1) {
dprintf("I/O error occurred (errno = %lu)", (unsigned long) Tcl_GetErrno());
*errorCodePtr = Tcl_GetErrno();
written = -1;
Tls_Error(statePtr, (char *) Tcl_ErrnoMsg(*errorCodePtr));
} else {
dprintf("I/O error occurred (backingError = %lu)", backingError);
*errorCodePtr = Tcl_GetErrno();
written = -1;
Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError));
}
break;
case SSL_ERROR_SSL:
/* A non-recoverable, fatal error in the SSL library occurred, usually a protocol error */
dprintf("SSL error, indicating that the connection has been aborted");
if (backingError != 0) {
Tls_Error(statePtr, (char *) ERR_reason_error_string(backingError));
} else {
Tls_Error(statePtr, "Unknown SSL error");
}
*errorCodePtr = ECONNABORTED;
written = -1;
break;
default:
dprintf("unknown error: %d", err);
Tls_Error(statePtr, "Unknown error");
break;
}
dprintf("Output(%d) -> %d", toWrite, written);
return(written);
}
/*
*-------------------------------------------------------------------
*
|
| ︙ | ︙ |