Overview
Comment: | Updated password callback to add rwflag size arguments to callback. Callback now works like other callbacks with the function followed by args. Refactored get result processing. Added more info to doc file. |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | errors_and_callbacks |
Files: | files | file ages | folders |
SHA3-256: |
c072b00aebbdca0dec0b915ca2d44cc9 |
User & Date: | bohagan on 2023-07-30 00:20:14 |
Other Links: | branch diff | manifest | tags |
Context
2023-07-30
| ||
02:09 | Add match result to ALPN callback parameters. This indicates if a common protocol was found or not. check-in: 75f1cfb376 user: bohagan tags: errors_and_callbacks | |
00:20 | Updated password callback to add rwflag size arguments to callback. Callback now works like other callbacks with the function followed by args. Refactored get result processing. Added more info to doc file. check-in: c072b00aeb user: bohagan tags: errors_and_callbacks | |
2023-07-29
| ||
21:33 | Added message status to callback command results. It is only available when OpenSSL is complied with the enable-ssl-trace option. check-in: 5ddead759f user: bohagan tags: errors_and_callbacks | |
Changes
Modified doc/tls.html
from [cc4fe664cc]
to [a0b037f824].
︙ | ︙ | |||
118 119 120 121 122 123 124 | socket, but must provide bi-directional flow. Also setting session parameters for SSL handshake.</dd> <blockquote> <dl> <dt><strong>-alpn</strong> <em>list</em></dt> <dd>List of protocols to offer during Application-Layer | | > | 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 | socket, but must provide bi-directional flow. Also setting session parameters for SSL handshake.</dd> <blockquote> <dl> <dt><strong>-alpn</strong> <em>list</em></dt> <dd>List of protocols to offer during Application-Layer Protocol Negotiation (ALPN). For example: <em>h2</em> and <em>http/1.1</em>, but not <em>h3</em> or <em>quic</em>.</dd> <dt><strong>-cadir</strong> <em>dir</em></dt> <dd>Set the CA certificates path. The default directory is platform specific and can be set at compile time. This can be overridden via the <b>SSL_CERT_DIR</b> environment variable.</dd> <dt><strong>-cafile </strong><em>filename</em></dt> <dd>Set the certificate authority (CA) certificates file. The default is the cert.pem file in the OpsnSSL directory. This can also be |
︙ | ︙ | |||
432 433 434 435 436 437 438 439 440 441 442 443 444 445 | <p> As indicated above, individual channels can be given their own callbacks to handle intermediate processing by the OpenSSL library, using the <strong>-command</strong>, <strong>-password</strong>, and <strong>-validate_command</strong> options passed to either of <strong>tls::socket</strong> or <strong>tls::import</strong>. </p> <blockquote> <dl> <dt><strong>-command</strong> <em>callback</em></dt> <dd> | > > | | | | < | 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 | <p> As indicated above, individual channels can be given their own callbacks to handle intermediate processing by the OpenSSL library, using the <strong>-command</strong>, <strong>-password</strong>, and <strong>-validate_command</strong> options passed to either of <strong>tls::socket</strong> or <strong>tls::import</strong>. If the callback generates an error, the <b>bgerror</b> command with be invoked with the error information. </p> <blockquote> <dl> <dt><strong>-command</strong> <em>callback</em></dt> <dd> Invokes the specified <em>callback</em> script at several points during the OpenSSL handshake and use. See below for the possible arguments passed to the callback script. Values returned from the callback are ignored. <br> <br> <dl> <dt> |
︙ | ︙ | |||
475 476 477 478 479 480 481 | <ul> <li>Possible values for <em>major</em> are: <code>handshake, alert, connect, accept</code>.</li> <li>Possible values for <em>minor</em> are: <code>start, done, read, write, loop, exit</code>.</li> <li>The <em>message</em> argument is a descriptive string which may be generated either by <code>SSL_state_string_long()</code> or by | | | 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 | <ul> <li>Possible values for <em>major</em> are: <code>handshake, alert, connect, accept</code>.</li> <li>Possible values for <em>minor</em> are: <code>start, done, read, write, loop, exit</code>.</li> <li>The <em>message</em> argument is a descriptive string which may be generated either by <code>SSL_state_string_long()</code> or by <code>SSL_alert_desc_string_long()</code>, depending on the context.</li> <li>For alerts, the possible values for <em>type</em> are: <code>warning, fatal, and unknown</code>. For others, <code>info</code> is used.</li> </ul> </dd> <dt> |
︙ | ︙ | |||
515 516 517 518 519 520 521 | </dd> <br> <dt><strong>-password</strong> <em>callback</em></dt> <dd> Invokes the specified <em>callback</em> script when OpenSSL needs to | > > > > > > > > > > > > > > > > | < > | > | | > | 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 | </dd> <br> <dt><strong>-password</strong> <em>callback</em></dt> <dd> Invokes the specified <em>callback</em> script when OpenSSL needs to obtain a password. See below for the possible arguments passed to the callback script. See below for valid return values. <br> <br> <dl> <dt> <strong>password</strong> <em>rwflag size</em> </dt> <dd> Invoked when loading or storing a PEM certificate with encryption. Where <em>rwflag</em> is 0 for reading/decryption or 1 for writing/encryption (can prompt user to confirm) and <em>size</em> is the max password length in bytes. The callback should return the password as a string. </dd> </dd> <br> <dt><strong>-validatecommand</strong> <em>callback</em></dt> <dd> Invokes the specified <em>callback</em> script during handshake in order to validate the provided value(s). See below for the possible arguments passed to the callback script. To reject the value and abort connection, the callback should return 0. To accept the value and continue the connection, it should return 1. To reject the value, but continue the connection, it should return 2. <br> <br> <dl> <dt> <strong>alpn</strong> <em>protocol</em> </dt> <dd> For servers, this form of callback is invoked when the client ALPN extension is received. Where <em>protocol</em> is the first <b>-alpn</b> specified protocol common to the both the client and server. If none, the first client specified protocol is used. Called after hello and ALPN callbacks. </dd> <br> <dt> <strong>hello</strong> <em>servername</em> </dt> |
︙ | ︙ |
Modified generic/tls.c
from [a5b24e4b6d]
to [c6cfb160ec].
︙ | ︙ | |||
487 488 489 490 491 492 493 | } /* *------------------------------------------------------------------- * * Password Callback -- * | | | | > > > > > > > > > | > > > | > > | > | > | > | | < < | 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 | } /* *------------------------------------------------------------------- * * Password Callback -- * * Called when a password for a private key loading/storing a PEM * certificate with encryption. Evals callback script and returns * the result as the password string in buf. * * Results: * None * * Side effects: * Calls callback (if defined) * * Returns: * Password size in bytes or -1 for an error. * *------------------------------------------------------------------- */ static int PasswordCallback(char *buf, int size, int rwflag, void *udata) { State *statePtr = (State *) udata; Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; int code; dprintf("Called"); /* If no callback, use default callback */ if (statePtr->password == NULL) { if (Tcl_EvalEx(interp, "tls::password", -1, TCL_EVAL_GLOBAL) == TCL_OK) { char *ret = (char *) Tcl_GetStringResult(interp); strncpy(buf, ret, (size_t) size); return (int)strlen(ret); } else { return -1; } } /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->password); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("password", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(rwflag)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(size)); Tcl_Preserve((ClientData) interp); Tcl_Preserve((ClientData) statePtr); /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); code = Tcl_EvalObjEx(interp, cmdPtr, TCL_EVAL_GLOBAL); if (code != TCL_OK) { #if (TCL_MAJOR_VERSION == 8) && (TCL_MINOR_VERSION < 6) Tcl_BackgroundError(interp); #else Tcl_BackgroundException(interp, code); #endif } Tcl_DecrRefCount(cmdPtr); Tcl_Release((ClientData) statePtr); /* If successful, pass back password string and truncate if too long */ if (code == TCL_OK) { int len; char *ret = (char *) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); if (len > size-1) { len = size-1; } strncpy(buf, ret, (size_t) len); buf[len] = '\0'; Tcl_Release((ClientData) interp); return(len); } Tcl_Release((ClientData) interp); return -1; } /* *------------------------------------------------------------------- * * Session Callback for Clients -- * |
︙ | ︙ |