Index: doc/tls.html ================================================================== --- doc/tls.html +++ doc/tls.html @@ -120,11 +120,12 @@
-alpn list
List of protocols to offer during Application-Layer - Protocol Negotiation (ALPN). For example: h2, http/1.1, etc.
+ Protocol Negotiation (ALPN). For example: h2 and + http/1.1, but not h3 or quic.
-cadir dir
Set the CA certificates path. The default directory is platform specific and can be set at compile time. This can be overridden via the SSL_CERT_DIR environment variable.
-cafile filename
@@ -434,22 +435,23 @@ As indicated above, individual channels can be given their own callbacks to handle intermediate processing by the OpenSSL library, using the -command, -password, and -validate_command options passed to either of tls::socket or tls::import. +If the callback generates an error, the bgerror command with be +invoked with the error information.

-command callback
- Invokes the specified callback script at - several points during the OpenSSL handshake. - Values returned from the callback are ignored. - Arguments appended to the script upon callback take one of the - following forms: + Invokes the specified callback script at several points + during the OpenSSL handshake and use. See below for the possible + arguments passed to the callback script. Values returned from the + callback are ignored.

@@ -477,11 +479,11 @@ handshake, alert, connect, accept.
  • Possible values for minor are: start, done, read, write, loop, exit.
  • The message argument is a descriptive string which may be generated either by SSL_state_string_long() or by - SSL_alert_desc_string_long(), depending on context.
    • + SSL_alert_desc_string_long(), depending on the context.
  • For alerts, the possible values for type are: warning, fatal, and unknown. For others, info is used.
    • @@ -517,24 +519,41 @@
    -password callback
    Invokes the specified callback script when OpenSSL needs to - obtain a password. The callback should return the password as a string. - No arguments are appended to the script upon callback. + obtain a password. See below for the possible arguments passed to + the callback script. See below for valid return values. + +
    +
    + +
    + +
    + password rwflag size +
    +
    + Invoked when loading or storing a PEM certificate with encryption. + Where rwflag is 0 for reading/decryption or 1 for + writing/encryption (can prompt user to confirm) and + size is the max password length in bytes. + The callback should return the password as a string. +

    -validatecommand callback
    Invokes the specified callback script during handshake in - order to validate the provided value(s). + order to validate the provided value(s). See below for the possible + arguments passed to the callback script. To reject the value and abort connection, the callback should return 0. - To accept the value, it should return 1. To reject the value, but - continue the connection, it should return 2. + To accept the value and continue the connection, it should return 1. + To reject the value, but continue the connection, it should return 2.

    @@ -545,10 +564,11 @@
    For servers, this form of callback is invoked when the client ALPN extension is received. Where protocol is the first -alpn specified protocol common to the both the client and server. If none, the first client specified protocol is used. + Called after hello and ALPN callbacks.

    Index: generic/tls.c ================================================================== --- generic/tls.c +++ generic/tls.c @@ -489,18 +489,27 @@ /* *------------------------------------------------------------------- * * Password Callback -- * - * Called when a password is needed to unpack RSA and PEM keys. - * Evals any bound password script and returns the result as - * the password string. + * Called when a password for a private key loading/storing a PEM + * certificate with encryption. Evals callback script and returns + * the result as the password string in buf. + * + * Results: + * None + * + * Side effects: + * Calls callback (if defined) + * + * Returns: + * Password size in bytes or -1 for an error. * *------------------------------------------------------------------- */ static int -PasswordCallback(char *buf, int size, int verify, void *udata) { +PasswordCallback(char *buf, int size, int rwflag, void *udata) { State *statePtr = (State *) udata; Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; int code; @@ -517,15 +526,18 @@ } } /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->password); + Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("password", -1)); + Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(rwflag)); + Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(size)); Tcl_Preserve((ClientData) interp); Tcl_Preserve((ClientData) statePtr); - /* Eval callback and success for ok, abort for error, continue for continue */ + /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); code = Tcl_EvalObjEx(interp, cmdPtr, TCL_EVAL_GLOBAL); if (code != TCL_OK) { #if (TCL_MAJOR_VERSION == 8) && (TCL_MINOR_VERSION < 6) Tcl_BackgroundError(interp); @@ -535,21 +547,24 @@ } Tcl_DecrRefCount(cmdPtr); Tcl_Release((ClientData) statePtr); + /* If successful, pass back password string and truncate if too long */ if (code == TCL_OK) { - char *ret = (char *) Tcl_GetStringResult(interp); - if (strlen(ret) < size - 1) { - strncpy(buf, ret, (size_t) size); - Tcl_Release((ClientData) interp); - return (int)strlen(ret); + int len; + char *ret = (char *) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); + if (len > size-1) { + len = size-1; } + strncpy(buf, ret, (size_t) len); + buf[len] = '\0'; + Tcl_Release((ClientData) interp); + return(len); } Tcl_Release((ClientData) interp); return -1; - verify = verify; } /* *------------------------------------------------------------------- *