Check-in [e1f08bc122]
Overview
Comment:More callback error checking. Added session ticket callback handling. Split set client and server session caching callbacks.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | status_x509
Files: files | file ages | folders
SHA3-256: e1f08bc122aed3fac3ef38b4640e5ba66e68b96d53f7ae90fc784619a67d6cc3
User & Date: bohagan on 2023-06-05 02:47:28
Other Links: branch diff | manifest | tags
Context
2023-06-10
19:45
Added ALPN callback update to catch and return errors in select next protocol. check-in: 1a03a74d6e user: bohagan tags: status_x509
2023-06-05
02:47
More callback error checking. Added session ticket callback handling. Split set client and server session caching callbacks. check-in: e1f08bc122 user: bohagan tags: status_x509
02:09
Use SSL connection states instead of custom states. check-in: 3d083cdfaf user: bohagan tags: status_x509
Changes
428
429
430
431
432
433
434
435

436
437
438
439
440
441
442
428
429
430
431
432
433
434

435
436
437
438
439
440
441
442







-
+







}

/*
 *-------------------------------------------------------------------
 *
 * Session Callback for Clients --
 *
 *	Called when a new session ticket has been received. In TLS 1.3
 *	Called when a new session is added to the cache. In TLS 1.3
 *	this may be received multiple times after the handshake. For
 *	earlier versions, this will be received during the handshake.
 *
 * Results:
 *	None
 *
 * Side effects:
452
453
454
455
456
457
458
459
460





461
462
463
464
465
466
467
452
453
454
455
456
457
458


459
460
461
462
463
464
465
466
467
468
469
470







-
-
+
+
+
+
+







    const unsigned char *session_id;
    int len;
    int code;
    size_t len2;

    dprintf("Called");

    if (statePtr->callback == (Tcl_Obj*)NULL)
	return 0;
    if (statePtr->callback == (Tcl_Obj*)NULL) {
	return SSL_TLSEXT_ERR_OK;
    } else if (ssl == NULL) {
	return SSL_TLSEXT_ERR_NOACK;
    }

    cmdPtr = Tcl_DuplicateObj(statePtr->callback);
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("session", -1));

    /* Session id */
    session_id = SSL_SESSION_get0_id_context(session, &len);
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(session_id, len));
486
487
488
489
490
491
492

493

494
495
496
497
498
499
500
489
490
491
492
493
494
495
496

497
498
499
500
501
502
503
504







+
-
+







	Tcl_BackgroundException(interp, code);
#endif
    }
    Tcl_DecrRefCount(cmdPtr);

    Tcl_Release((ClientData) statePtr);
    Tcl_Release((ClientData) interp);
    /* If return non-zero, caller will have to do a SSL_SESSION_free() on the structure. */
    return 1;
    return 0;
}

/*
 *-------------------------------------------------------------------
 *
 * ALPN Callback for Servers --
 *
522
523
524
525
526
527
528
529

530



531
532
533
534
535
536
537
526
527
528
529
530
531
532

533
534
535
536
537
538
539
540
541
542
543
544







-
+

+
+
+







    State *statePtr = (State*)arg;
    Tcl_Interp *interp	= statePtr->interp;
    Tcl_Obj *cmdPtr;
    int code;

    dprintf("Called");

    if (statePtr->callback == (Tcl_Obj*)NULL)
    if (statePtr->callback == (Tcl_Obj*)NULL) {
	return SSL_TLSEXT_ERR_OK;
    } else if (ssl == NULL) {
	return SSL_TLSEXT_ERR_NOACK;
    }

    /* Select protocol */
    SSL_select_next_proto(out, outlen, statePtr->protos, statePtr->protos_len, in, inlen);

    cmdPtr = Tcl_DuplicateObj(statePtr->callback);
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("alpn", -1));
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(*out, -1));
656
657
658
659
660
661
662
663
664





665
666
667
668
669
670
671
663
664
665
666
667
668
669


670
671
672
673
674
675
676
677
678
679
680
681







-
-
+
+
+
+
+







    int code;
    const char *servername;
    const unsigned char *p;
    size_t len, remaining;

    dprintf("Called");

    if (statePtr->callback == (Tcl_Obj*)NULL)
	return SSL_CLIENT_HELLO_SUCCESS;
    if (statePtr->callback == (Tcl_Obj*)NULL) {
	return SSL_TLSEXT_ERR_OK;
    } else if (ssl == NULL) {
	return SSL_TLSEXT_ERR_NOACK;
    }

    /* Get names */
    if (!SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &p, &remaining) || remaining <= 2) {
        return SSL_CLIENT_HELLO_ERROR;
    }

    /* Extract the length of the supplied list of names. */
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349




1350
1351
1352
1353
1354
1355
1356
1337
1338
1339
1340
1341
1342
1343

1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369







-















+
+
+
+








    /*
     * SSL Callbacks
     */
    SSL_set_app_data(statePtr->ssl, (void *)statePtr);	/* point back to us */
    SSL_set_verify(statePtr->ssl, verify, VerifyCallback);
    SSL_CTX_set_info_callback(statePtr->ctx, InfoCallback);
    SSL_CTX_sess_set_new_cb(statePtr->ctx, SessionCallback);

    /* Create Tcl_Channel BIO Handler */
    statePtr->p_bio	= BIO_new_tcl(statePtr, BIO_NOCLOSE);
    statePtr->bio	= BIO_new(BIO_f_ssl());

    if (server) {
	/* Server callbacks */
	SSL_CTX_set_alpn_select_cb(statePtr->ctx, ALPNCallback, (void *)statePtr);
	SSL_CTX_set_tlsext_servername_arg(statePtr->ctx, (void *)statePtr);
	SSL_CTX_set_tlsext_servername_callback(statePtr->ctx, SNICallback);
	SSL_CTX_set_client_hello_cb(statePtr->ctx, HelloCallback, (void *)statePtr);

	statePtr->flags |= TLS_TCL_SERVER;
	SSL_set_accept_state(statePtr->ssl);
    } else {
	/* Session caching */
	SSL_CTX_set_session_cache_mode(statePtr->ctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
	SSL_CTX_sess_set_new_cb(statePtr->ctx, SessionCallback);

	SSL_set_connect_state(statePtr->ssl);
    }
    SSL_set_bio(statePtr->ssl, statePtr->p_bio, statePtr->p_bio);
    BIO_set_ssl(statePtr->bio, statePtr->ssl, BIO_NOCLOSE);

    /*
     * End of SSL Init