Overview
Comment: | Updated default callbacks in tls.tcl file |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | errors_and_callbacks |
Files: | files | file ages | folders |
SHA3-256: |
cdb51c799e75a81df602bb5f60b16e48 |
User & Date: | bohagan on 2023-07-30 02:53:19 |
Other Links: | branch diff | manifest | tags |
Context
2023-07-30
| ||
03:21 | Merged errors_and_callbacks branch into master check-in: dbe759a0f2 user: bohagan tags: trunk | |
02:53 | Updated default callbacks in tls.tcl file Closed-Leaf check-in: cdb51c799e user: bohagan tags: errors_and_callbacks | |
02:09 | Add match result to ALPN callback parameters. This indicates if a common protocol was found or not. check-in: 75f1cfb376 user: bohagan tags: errors_and_callbacks | |
Changes
Modified doc/tls.html
from [0f26c0f2be]
to [3c88bc4018].
︙ | ︙ | |||
499 500 501 502 503 504 505 | Where <em>direction</em> is Sent or Received, <em>version</em> is the protocol version, <em>content_type</em> is the message content type, and <em>data</em> is more info on the message from the <code>SSL_trace</code> API. </dd> <br> <dt> | | | 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 | Where <em>direction</em> is Sent or Received, <em>version</em> is the protocol version, <em>content_type</em> is the message content type, and <em>data</em> is more info on the message from the <code>SSL_trace</code> API. </dd> <br> <dt> <strong>session</strong> <em>channel session_id ticket lifetime</em> </dt> <dd> This form of callback is invoked by the OpenSSL function <code>SSL_CTX_sess_set_new_cb()</code>. Where <em>session_id</em> is the current session identifier, <em>ticket</em> is the session ticket info, and <em>lifetime</em> is the the ticket lifetime in seconds. |
︙ | ︙ | |||
555 556 557 558 559 560 561 | <br> <br> <dl> <dt> | | | | | 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 | <br> <br> <dl> <dt> <strong>alpn</strong> <em>channel protocol match</em> </dt> <dd> For servers, this form of callback is invoked when the client ALPN extension is received. If <em>match</em> is true, <em>protocol</em> is the first <b>-alpn</b> specified protocol common to the both the client and server. If not, the first client specified protocol is used. Called after hello and ALPN callbacks. </dd> <br> <dt> <strong>hello</strong> <em>channel servername</em> </dt> <dd> For servers, this form of callback is invoked during client hello message processing. It is used to select an appropriate certificate to present, and make other configuration adjustments relevant to that server name and its configuration. Called before SNI and ALPN callbacks. </dd> <br> <dt> <strong>sni</strong> <em>channel servername</em> </dt> <dd> For servers, this form of callback is invoked when the SNI extension from the client is received. Where <em>servername</em> is the client provided server name from the <b>-servername</b> option. This is used when a server supports multiple names, so the right certificate can be used. Called after hello callback but before ALPN callback. |
︙ | ︙ |
Modified generic/tls.c
from [45bcc590a0]
to [b314eff29c].
︙ | ︙ | |||
604 605 606 607 608 609 610 611 612 613 614 615 616 617 | } else if (ssl == NULL) { return SSL_TLSEXT_ERR_NOACK; } /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("session", -1)); /* Session id */ session_id = SSL_SESSION_get_id(session, &ulen); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewByteArrayObj(session_id, (int) ulen)); /* Session ticket */ SSL_SESSION_get0_ticket(session, &ticket, &len2); | > > | 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 | } else if (ssl == NULL) { return SSL_TLSEXT_ERR_NOACK; } /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("session", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); /* Session id */ session_id = SSL_SESSION_get_id(session, &ulen); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewByteArrayObj(session_id, (int) ulen)); /* Session ticket */ SSL_SESSION_get0_ticket(session, &ticket, &len2); |
︙ | ︙ | |||
679 680 681 682 683 684 685 686 687 688 689 690 691 692 | if (statePtr->vcmd == (Tcl_Obj*)NULL) { return res; } /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("alpn", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(*out, -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewBooleanObj(res == SSL_TLSEXT_ERR_OK)); /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) { res = SSL_TLSEXT_ERR_NOACK; | > > | 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 | if (statePtr->vcmd == (Tcl_Obj*)NULL) { return res; } /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("alpn", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(*out, -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewBooleanObj(res == SSL_TLSEXT_ERR_OK)); /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) { res = SSL_TLSEXT_ERR_NOACK; |
︙ | ︙ | |||
790 791 792 793 794 795 796 797 798 799 800 801 802 803 | if (statePtr->vcmd == (Tcl_Obj*)NULL) { return SSL_TLSEXT_ERR_OK; } /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("sni", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername , -1)); /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) { res = SSL_TLSEXT_ERR_ALERT_WARNING; *alert = SSL_AD_UNRECOGNIZED_NAME; /* Not supported by TLS 1.3 */ | > > | 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 | if (statePtr->vcmd == (Tcl_Obj*)NULL) { return SSL_TLSEXT_ERR_OK; } /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("sni", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername , -1)); /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) { res = SSL_TLSEXT_ERR_ALERT_WARNING; *alert = SSL_AD_UNRECOGNIZED_NAME; /* Not supported by TLS 1.3 */ |
︙ | ︙ | |||
890 891 892 893 894 895 896 897 898 899 900 901 902 903 | } remaining = len; servername = (const char *)p; /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("hello", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername, (int) len)); /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) { res = SSL_CLIENT_HELLO_RETRY; *alert = SSL_R_TLSV1_ALERT_USER_CANCELLED; | > > | 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 | } remaining = len; servername = (const char *)p; /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("hello", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername, (int) len)); /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) { res = SSL_CLIENT_HELLO_RETRY; *alert = SSL_R_TLSV1_ALERT_USER_CANCELLED; |
︙ | ︙ |
Modified library/tls.tcl
from [91a83164bf]
to [806ff9312a].
︙ | ︙ | |||
330 331 332 333 334 335 336 | "error" { foreach {chan msg} $args break log 0 "TLS/$chan: error: $msg" } "info" { # poor man's lassign | | > > > > > > | | | | | | | 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 | "error" { foreach {chan msg} $args break log 0 "TLS/$chan: error: $msg" } "info" { # poor man's lassign foreach {chan major minor msg type} $args break if {$msg != ""} { append state ": $msg" } # For tracing upvar #0 tls::$chan cb set cb($major) $minor log 2 "TLS/$chan: $major/$minor: $state" } "message" { # poor man's lassign foreach {chan direction version content_type msg} $args break log 0 "TLS/$chan: info: $direction $msg" } "session" { foreach {chan session_id ticket lifetime} $args break log 0 "TLS/$chan: session: lifetime $lifetime" } default { return -code error "bad option \"$option\":\ must be one of error, info, or session" } } } # # Sample callback when return value is needed # proc tls::validate_command {option args} { variable debug #log 2 [concat $option $args] switch -- $option { "alpn" { foreach {chan protocol match} $args break log 0 "TLS/$chan: alpn: $protocol $match" } "hello" { foreach {chan servername} $args break log 0 "TLS/$chan: hello: $servername" } "sni" { foreach {chan servername} $args break log 0 "TLS/$chan: sni: $servername" } "verify" { # poor man's lassign foreach {chan depth cert rc err} $args break |
︙ | ︙ | |||
420 421 422 423 424 425 426 | } if {$cb(handshake) == "done"} { return 1 } } } | | | 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 | } if {$cb(handshake) == "done"} { return 1 } } } proc tls::password {rwflag size} { log 0 "TLS/Password: did you forget to set your passwd!" # Return the worlds best kept secret password. return "secret" } proc tls::log {level msg} { variable debug |
︙ | ︙ |