Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
接近 2 年 前同步成功

通知 12
Star 18
Fork 1
T
Third Party Openssl
提交 f63a17d6 编写于 作者: M Matt Caswell
浏览文件
操作

Convert the state machine code to use SSLfatal() 

Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)
上级 4752c5de
显示空白变更内容
内联 并排
Showing with 2449 addition and 1844 deletion
crypto/err/openssl.txt
浏览文件 @ f63a17d6
...@@ -965,9 +965,13 @@ SSL_F_ADD_CLIENT_KEY_SHARE_EXT:438:* ...@@ -965,9 +965,13 @@ SSL_F_ADD_CLIENT_KEY_SHARE_EXT:438:*
SSL_F_ADD_KEY_SHARE:512:add_key_share SSL_F_ADD_KEY_SHARE:512:add_key_share
SSL_F_BYTES_TO_CIPHER_LIST:519:bytes_to_cipher_list SSL_F_BYTES_TO_CIPHER_LIST:519:bytes_to_cipher_list
SSL_F_CHECK_SUITEB_CIPHER_LIST:331:check_suiteb_cipher_list SSL_F_CHECK_SUITEB_CIPHER_LIST:331:check_suiteb_cipher_list
SSL_F_CONSTRUCT_CA_NAMES:552:construct_ca_names
SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS:553:construct_key_exchange_tbs
SSL_F_CREATE_SYNTHETIC_MESSAGE_HASH:539:create_synthetic_message_hash SSL_F_CREATE_SYNTHETIC_MESSAGE_HASH:539:create_synthetic_message_hash
SSL_F_CT_MOVE_SCTS:345:ct_move_scts SSL_F_CT_MOVE_SCTS:345:ct_move_scts
SSL_F_CT_STRICT:349:ct_strict SSL_F_CT_STRICT:349:ct_strict
SSL_F_CUSTOM_EXT_ADD:554:custom_ext_add
SSL_F_CUSTOM_EXT_PARSE:555:custom_ext_parse
SSL_F_D2I_SSL_SESSION:103:d2i_SSL_SESSION SSL_F_D2I_SSL_SESSION:103:d2i_SSL_SESSION
SSL_F_DANE_CTX_ENABLE:347:dane_ctx_enable SSL_F_DANE_CTX_ENABLE:347:dane_ctx_enable
SSL_F_DANE_MTYPE_SET:393:dane_mtype_set SSL_F_DANE_MTYPE_SET:393:dane_mtype_set
...@@ -993,11 +997,15 @@ SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST:385:\ ...@@ -993,11 +997,15 @@ SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST:385:\
SSL_F_DTLS_GET_REASSEMBLED_MESSAGE:370:dtls_get_reassembled_message SSL_F_DTLS_GET_REASSEMBLED_MESSAGE:370:dtls_get_reassembled_message
SSL_F_DTLS_PROCESS_HELLO_VERIFY:386:dtls_process_hello_verify SSL_F_DTLS_PROCESS_HELLO_VERIFY:386:dtls_process_hello_verify
SSL_F_EARLY_DATA_COUNT_OK:532:early_data_count_ok SSL_F_EARLY_DATA_COUNT_OK:532:early_data_count_ok
SSL_F_FINAL_EARLY_DATA:556:final_early_data
SSL_F_FINAL_EC_PT_FORMATS:485:final_ec_pt_formats SSL_F_FINAL_EC_PT_FORMATS:485:final_ec_pt_formats
SSL_F_FINAL_EMS:486:final_ems SSL_F_FINAL_EMS:486:final_ems
SSL_F_FINAL_KEY_SHARE:503:final_key_share SSL_F_FINAL_KEY_SHARE:503:final_key_share
SSL_F_FINAL_MAXFRAGMENTLEN:557:final_maxfragmentlen
SSL_F_FINAL_RENEGOTIATE:483:final_renegotiate SSL_F_FINAL_RENEGOTIATE:483:final_renegotiate
SSL_F_FINAL_SERVER_NAME:558:final_server_name
SSL_F_FINAL_SIG_ALGS:497:final_sig_algs SSL_F_FINAL_SIG_ALGS:497:final_sig_algs
SSL_F_GET_CERT_VERIFY_TBS_DATA:588:get_cert_verify_tbs_data
SSL_F_NSS_KEYLOG_INT:500:nss_keylog_int SSL_F_NSS_KEYLOG_INT:500:nss_keylog_int
SSL_F_OPENSSL_INIT_SSL:342:OPENSSL_init_ssl SSL_F_OPENSSL_INIT_SSL:342:OPENSSL_init_ssl
SSL_F_OSSL_STATEM_CLIENT13_READ_TRANSITION:436:* SSL_F_OSSL_STATEM_CLIENT13_READ_TRANSITION:436:*
...@@ -1010,6 +1018,7 @@ SSL_F_PARSE_CA_NAMES:541:parse_ca_names ...@@ -1010,6 +1018,7 @@ SSL_F_PARSE_CA_NAMES:541:parse_ca_names
SSL_F_PROCESS_KEY_SHARE_EXT:439:* SSL_F_PROCESS_KEY_SHARE_EXT:439:*
SSL_F_READ_STATE_MACHINE:352:read_state_machine SSL_F_READ_STATE_MACHINE:352:read_state_machine
SSL_F_SET_CLIENT_CIPHERSUITE:540:set_client_ciphersuite SSL_F_SET_CLIENT_CIPHERSUITE:540:set_client_ciphersuite
SSL_F_SRP_GENERATE_SERVER_MASTER_SECRET:589:srp_generate_server_master_secret
SSL_F_SSL3_CHANGE_CIPHER_STATE:129:ssl3_change_cipher_state SSL_F_SSL3_CHANGE_CIPHER_STATE:129:ssl3_change_cipher_state
SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM:130:ssl3_check_cert_and_algorithm SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM:130:ssl3_check_cert_and_algorithm
SSL_F_SSL3_CTRL:213:ssl3_ctrl SSL_F_SSL3_CTRL:213:ssl3_ctrl
...@@ -1017,6 +1026,7 @@ SSL_F_SSL3_CTX_CTRL:133:ssl3_ctx_ctrl ...@@ -1017,6 +1026,7 @@ SSL_F_SSL3_CTX_CTRL:133:ssl3_ctx_ctrl
SSL_F_SSL3_DIGEST_CACHED_RECORDS:293:ssl3_digest_cached_records SSL_F_SSL3_DIGEST_CACHED_RECORDS:293:ssl3_digest_cached_records
SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC:292:ssl3_do_change_cipher_spec SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC:292:ssl3_do_change_cipher_spec
SSL_F_SSL3_FINAL_FINISH_MAC:285:ssl3_final_finish_mac SSL_F_SSL3_FINAL_FINISH_MAC:285:ssl3_final_finish_mac
SSL_F_SSL3_FINISH_MAC:587:ssl3_finish_mac
SSL_F_SSL3_GENERATE_KEY_BLOCK:238:ssl3_generate_key_block SSL_F_SSL3_GENERATE_KEY_BLOCK:238:ssl3_generate_key_block
SSL_F_SSL3_GENERATE_MASTER_SECRET:388:ssl3_generate_master_secret SSL_F_SSL3_GENERATE_MASTER_SECRET:388:ssl3_generate_master_secret
SSL_F_SSL3_GET_RECORD:143:ssl3_get_record SSL_F_SSL3_GET_RECORD:143:ssl3_get_record
...@@ -1087,15 +1097,18 @@ SSL_F_SSL_CTX_USE_SERVERINFO_EX:543:SSL_CTX_use_serverinfo_ex ...@@ -1087,15 +1097,18 @@ SSL_F_SSL_CTX_USE_SERVERINFO_EX:543:SSL_CTX_use_serverinfo_ex
SSL_F_SSL_CTX_USE_SERVERINFO_FILE:337:SSL_CTX_use_serverinfo_file SSL_F_SSL_CTX_USE_SERVERINFO_FILE:337:SSL_CTX_use_serverinfo_file
SSL_F_SSL_DANE_DUP:403:ssl_dane_dup SSL_F_SSL_DANE_DUP:403:ssl_dane_dup
SSL_F_SSL_DANE_ENABLE:395:SSL_dane_enable SSL_F_SSL_DANE_ENABLE:395:SSL_dane_enable
SSL_F_SSL_DERIVE:590:ssl_derive
SSL_F_SSL_DO_CONFIG:391:ssl_do_config SSL_F_SSL_DO_CONFIG:391:ssl_do_config
SSL_F_SSL_DO_HANDSHAKE:180:SSL_do_handshake SSL_F_SSL_DO_HANDSHAKE:180:SSL_do_handshake
SSL_F_SSL_DUP_CA_LIST:408:SSL_dup_CA_list SSL_F_SSL_DUP_CA_LIST:408:SSL_dup_CA_list
SSL_F_SSL_ENABLE_CT:402:SSL_enable_ct SSL_F_SSL_ENABLE_CT:402:SSL_enable_ct
SSL_F_SSL_GENERATE_PKEY_GROUP:559:ssl_generate_pkey_group
SSL_F_SSL_GENERATE_SESSION_ID:547:ssl_generate_session_id SSL_F_SSL_GENERATE_SESSION_ID:547:ssl_generate_session_id
SSL_F_SSL_GET_NEW_SESSION:181:ssl_get_new_session SSL_F_SSL_GET_NEW_SESSION:181:ssl_get_new_session
SSL_F_SSL_GET_PREV_SESSION:217:ssl_get_prev_session SSL_F_SSL_GET_PREV_SESSION:217:ssl_get_prev_session
SSL_F_SSL_GET_SERVER_CERT_INDEX:322:* SSL_F_SSL_GET_SERVER_CERT_INDEX:322:*
SSL_F_SSL_GET_SIGN_PKEY:183:* SSL_F_SSL_GET_SIGN_PKEY:183:*
SSL_F_SSL_HANDSHAKE_HASH:560:ssl_handshake_hash
SSL_F_SSL_INIT_WBIO_BUFFER:184:ssl_init_wbio_buffer SSL_F_SSL_INIT_WBIO_BUFFER:184:ssl_init_wbio_buffer
SSL_F_SSL_KEY_UPDATE:515:SSL_key_update SSL_F_SSL_KEY_UPDATE:515:SSL_key_update
SSL_F_SSL_LOAD_CLIENT_CA_FILE:185:SSL_load_client_CA_file SSL_F_SSL_LOAD_CLIENT_CA_FILE:185:SSL_load_client_CA_file
...@@ -1103,6 +1116,7 @@ SSL_F_SSL_LOG_MASTER_SECRET:498:* ...@@ -1103,6 +1116,7 @@ SSL_F_SSL_LOG_MASTER_SECRET:498:*
SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE:499:ssl_log_rsa_client_key_exchange SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE:499:ssl_log_rsa_client_key_exchange
SSL_F_SSL_MODULE_INIT:392:ssl_module_init SSL_F_SSL_MODULE_INIT:392:ssl_module_init
SSL_F_SSL_NEW:186:SSL_new SSL_F_SSL_NEW:186:SSL_new
SSL_F_SSL_NEXT_PROTO_VALIDATE:565:ssl_next_proto_validate
SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT:300:* SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT:300:*
SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT:302:* SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT:302:*
SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT:310:* SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT:310:*
...@@ -1163,6 +1177,8 @@ SSL_F_STATE_MACHINE:353:state_machine ...@@ -1163,6 +1177,8 @@ SSL_F_STATE_MACHINE:353:state_machine
SSL_F_TLS12_CHECK_PEER_SIGALG:333:tls12_check_peer_sigalg SSL_F_TLS12_CHECK_PEER_SIGALG:333:tls12_check_peer_sigalg
SSL_F_TLS12_COPY_SIGALGS:533:tls12_copy_sigalgs SSL_F_TLS12_COPY_SIGALGS:533:tls12_copy_sigalgs
SSL_F_TLS13_CHANGE_CIPHER_STATE:440:tls13_change_cipher_state SSL_F_TLS13_CHANGE_CIPHER_STATE:440:tls13_change_cipher_state
SSL_F_TLS13_GENERATE_SECRET:591:tls13_generate_secret
SSL_F_TLS13_HKDF_EXPAND:561:tls13_hkdf_expand
SSL_F_TLS13_SETUP_KEY_BLOCK:441:tls13_setup_key_block SSL_F_TLS13_SETUP_KEY_BLOCK:441:tls13_setup_key_block
SSL_F_TLS1_CHANGE_CIPHER_STATE:209:tls1_change_cipher_state SSL_F_TLS1_CHANGE_CIPHER_STATE:209:tls1_change_cipher_state
SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS:341:* SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS:341:*
...@@ -1258,17 +1274,40 @@ SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO:521:\ ...@@ -1258,17 +1274,40 @@ SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO:521:\
tls_early_post_process_client_hello tls_early_post_process_client_hello
SSL_F_TLS_GET_MESSAGE_BODY:351:tls_get_message_body SSL_F_TLS_GET_MESSAGE_BODY:351:tls_get_message_body
SSL_F_TLS_GET_MESSAGE_HEADER:387:tls_get_message_header SSL_F_TLS_GET_MESSAGE_HEADER:387:tls_get_message_header
SSL_F_TLS_HANDLE_ALPN:562:tls_handle_alpn
SSL_F_TLS_HANDLE_STATUS_REQUEST:563:tls_handle_status_request
SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES:566:tls_parse_certificate_authorities
SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT:449:* SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT:449:*
SSL_F_TLS_PARSE_CTOS_ALPN:567:tls_parse_ctos_alpn
SSL_F_TLS_PARSE_CTOS_EARLY_DATA:568:tls_parse_ctos_early_data
SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS:569:tls_parse_ctos_ec_pt_formats
SSL_F_TLS_PARSE_CTOS_EMS:570:tls_parse_ctos_ems
SSL_F_TLS_PARSE_CTOS_KEY_SHARE:463:tls_parse_ctos_key_share SSL_F_TLS_PARSE_CTOS_KEY_SHARE:463:tls_parse_ctos_key_share
SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN:571:tls_parse_ctos_maxfragmentlen
SSL_F_TLS_PARSE_CTOS_PSK:505:tls_parse_ctos_psk SSL_F_TLS_PARSE_CTOS_PSK:505:tls_parse_ctos_psk
SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES:572:tls_parse_ctos_psk_kex_modes
SSL_F_TLS_PARSE_CTOS_RENEGOTIATE:464:tls_parse_ctos_renegotiate SSL_F_TLS_PARSE_CTOS_RENEGOTIATE:464:tls_parse_ctos_renegotiate
SSL_F_TLS_PARSE_CTOS_SERVER_NAME:573:tls_parse_ctos_server_name
SSL_F_TLS_PARSE_CTOS_SESSION_TICKET:574:tls_parse_ctos_session_ticket
SSL_F_TLS_PARSE_CTOS_SIG_ALGS:575:tls_parse_ctos_sig_algs
SSL_F_TLS_PARSE_CTOS_SRP:576:tls_parse_ctos_srp
SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST:577:tls_parse_ctos_status_request
SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS:578:tls_parse_ctos_supported_groups
SSL_F_TLS_PARSE_CTOS_USE_SRTP:465:tls_parse_ctos_use_srtp SSL_F_TLS_PARSE_CTOS_USE_SRTP:465:tls_parse_ctos_use_srtp
SSL_F_TLS_PARSE_STOC_ALPN:579:tls_parse_stoc_alpn
SSL_F_TLS_PARSE_STOC_COOKIE:534:tls_parse_stoc_cookie SSL_F_TLS_PARSE_STOC_COOKIE:534:tls_parse_stoc_cookie
SSL_F_TLS_PARSE_STOC_EARLY_DATA:538:tls_parse_stoc_early_data SSL_F_TLS_PARSE_STOC_EARLY_DATA:538:tls_parse_stoc_early_data
SSL_F_TLS_PARSE_STOC_EARLY_DATA_INFO:528:* SSL_F_TLS_PARSE_STOC_EARLY_DATA_INFO:528:*
SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS:580:tls_parse_stoc_ec_pt_formats
SSL_F_TLS_PARSE_STOC_KEY_SHARE:445:tls_parse_stoc_key_share SSL_F_TLS_PARSE_STOC_KEY_SHARE:445:tls_parse_stoc_key_share
SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN:581:tls_parse_stoc_maxfragmentlen
SSL_F_TLS_PARSE_STOC_NPN:582:tls_parse_stoc_npn
SSL_F_TLS_PARSE_STOC_PSK:502:tls_parse_stoc_psk SSL_F_TLS_PARSE_STOC_PSK:502:tls_parse_stoc_psk
SSL_F_TLS_PARSE_STOC_RENEGOTIATE:448:tls_parse_stoc_renegotiate SSL_F_TLS_PARSE_STOC_RENEGOTIATE:448:tls_parse_stoc_renegotiate
SSL_F_TLS_PARSE_STOC_SCT:564:tls_parse_stoc_sct
SSL_F_TLS_PARSE_STOC_SERVER_NAME:583:tls_parse_stoc_server_name
SSL_F_TLS_PARSE_STOC_SESSION_TICKET:584:tls_parse_stoc_session_ticket
SSL_F_TLS_PARSE_STOC_STATUS_REQUEST:585:tls_parse_stoc_status_request
SSL_F_TLS_PARSE_STOC_USE_SRTP:446:tls_parse_stoc_use_srtp SSL_F_TLS_PARSE_STOC_USE_SRTP:446:tls_parse_stoc_use_srtp
SSL_F_TLS_POST_PROCESS_CLIENT_HELLO:378:tls_post_process_client_hello SSL_F_TLS_POST_PROCESS_CLIENT_HELLO:378:tls_post_process_client_hello
SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE:384:\ SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE:384:\
...@@ -1309,6 +1348,7 @@ SSL_F_TLS_PSK_DO_BINDER:506:tls_psk_do_binder ...@@ -1309,6 +1348,7 @@ SSL_F_TLS_PSK_DO_BINDER:506:tls_psk_do_binder
SSL_F_TLS_SCAN_CLIENTHELLO_TLSEXT:450:* SSL_F_TLS_SCAN_CLIENTHELLO_TLSEXT:450:*
SSL_F_TLS_SETUP_HANDSHAKE:508:tls_setup_handshake SSL_F_TLS_SETUP_HANDSHAKE:508:tls_setup_handshake
SSL_F_USE_CERTIFICATE_CHAIN_FILE:220:use_certificate_chain_file SSL_F_USE_CERTIFICATE_CHAIN_FILE:220:use_certificate_chain_file
SSL_F_WRITE_STATE_MACHINE:586:write_state_machine
TS_F_DEF_SERIAL_CB:110:def_serial_cb TS_F_DEF_SERIAL_CB:110:def_serial_cb
TS_F_DEF_TIME_CB:111:def_time_cb TS_F_DEF_TIME_CB:111:def_time_cb
TS_F_ESS_ADD_SIGNING_CERT:112:ess_add_signing_cert TS_F_ESS_ADD_SIGNING_CERT:112:ess_add_signing_cert
...@@ -2286,14 +2326,17 @@ SSL_R_BAD_DATA_RETURNED_BY_CALLBACK:106:bad data returned by callback ...@@ -2286,14 +2326,17 @@ SSL_R_BAD_DATA_RETURNED_BY_CALLBACK:106:bad data returned by callback
SSL_R_BAD_DECOMPRESSION:107:bad decompression SSL_R_BAD_DECOMPRESSION:107:bad decompression
SSL_R_BAD_DH_VALUE:102:bad dh value SSL_R_BAD_DH_VALUE:102:bad dh value
SSL_R_BAD_DIGEST_LENGTH:111:bad digest length SSL_R_BAD_DIGEST_LENGTH:111:bad digest length
SSL_R_BAD_EARLY_DATA:233:bad early data
SSL_R_BAD_ECC_CERT:304:bad ecc cert SSL_R_BAD_ECC_CERT:304:bad ecc cert
SSL_R_BAD_ECPOINT:306:bad ecpoint SSL_R_BAD_ECPOINT:306:bad ecpoint
SSL_R_BAD_EXTENSION:110:bad extension SSL_R_BAD_EXTENSION:110:bad extension
SSL_R_BAD_HANDSHAKE_LENGTH:332:bad handshake length SSL_R_BAD_HANDSHAKE_LENGTH:332:bad handshake length
SSL_R_BAD_HANDSHAKE_STATE:236:bad handshake state
SSL_R_BAD_HELLO_REQUEST:105:bad hello request SSL_R_BAD_HELLO_REQUEST:105:bad hello request
SSL_R_BAD_KEY_SHARE:108:bad key share SSL_R_BAD_KEY_SHARE:108:bad key share
SSL_R_BAD_KEY_UPDATE:122:bad key update SSL_R_BAD_KEY_UPDATE:122:bad key update
SSL_R_BAD_LENGTH:271:bad length SSL_R_BAD_LENGTH:271:bad length
SSL_R_BAD_PACKET:240:bad packet
SSL_R_BAD_PACKET_LENGTH:115:bad packet length SSL_R_BAD_PACKET_LENGTH:115:bad packet length
SSL_R_BAD_PROTOCOL_VERSION_NUMBER:116:bad protocol version number SSL_R_BAD_PROTOCOL_VERSION_NUMBER:116:bad protocol version number
SSL_R_BAD_PSK:219:bad psk SSL_R_BAD_PSK:219:bad psk
...@@ -2311,6 +2354,7 @@ SSL_R_BAD_WRITE_RETRY:127:bad write retry ...@@ -2311,6 +2354,7 @@ SSL_R_BAD_WRITE_RETRY:127:bad write retry
SSL_R_BIO_NOT_SET:128:bio not set SSL_R_BIO_NOT_SET:128:bio not set
SSL_R_BLOCK_CIPHER_PAD_IS_WRONG:129:block cipher pad is wrong SSL_R_BLOCK_CIPHER_PAD_IS_WRONG:129:block cipher pad is wrong
SSL_R_BN_LIB:130:bn lib SSL_R_BN_LIB:130:bn lib
SSL_R_CALLBACK_FAILED:234:callback failed
SSL_R_CANNOT_CHANGE_CIPHER:109:cannot change cipher SSL_R_CANNOT_CHANGE_CIPHER:109:cannot change cipher
SSL_R_CA_DN_LENGTH_MISMATCH:131:ca dn length mismatch SSL_R_CA_DN_LENGTH_MISMATCH:131:ca dn length mismatch
SSL_R_CA_KEY_TOO_SMALL:397:ca key too small SSL_R_CA_KEY_TOO_SMALL:397:ca key too small
...@@ -2380,6 +2424,7 @@ SSL_R_INCONSISTENT_EARLY_DATA_ALPN:222:inconsistent early data alpn ...@@ -2380,6 +2424,7 @@ SSL_R_INCONSISTENT_EARLY_DATA_ALPN:222:inconsistent early data alpn
SSL_R_INCONSISTENT_EARLY_DATA_SNI:231:inconsistent early data sni SSL_R_INCONSISTENT_EARLY_DATA_SNI:231:inconsistent early data sni
SSL_R_INCONSISTENT_EXTMS:104:inconsistent extms SSL_R_INCONSISTENT_EXTMS:104:inconsistent extms
SSL_R_INVALID_ALERT:205:invalid alert SSL_R_INVALID_ALERT:205:invalid alert
SSL_R_INVALID_CERTIFICATE_OR_ALG:238:invalid certificate or alg
SSL_R_INVALID_COMMAND:280:invalid command SSL_R_INVALID_COMMAND:280:invalid command
SSL_R_INVALID_COMPRESSION_ALGORITHM:341:invalid compression algorithm SSL_R_INVALID_COMPRESSION_ALGORITHM:341:invalid compression algorithm
SSL_R_INVALID_CONFIGURATION_NAME:113:invalid configuration name SSL_R_INVALID_CONFIGURATION_NAME:113:invalid configuration name
...@@ -2409,6 +2454,7 @@ SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION:209:missing supported groups extension ...@@ -2409,6 +2454,7 @@ SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION:209:missing supported groups extension
SSL_R_MISSING_TMP_DH_KEY:171:missing tmp dh key SSL_R_MISSING_TMP_DH_KEY:171:missing tmp dh key
SSL_R_MISSING_TMP_ECDH_KEY:311:missing tmp ecdh key SSL_R_MISSING_TMP_ECDH_KEY:311:missing tmp ecdh key
SSL_R_NOT_ON_RECORD_BOUNDARY:182:not on record boundary SSL_R_NOT_ON_RECORD_BOUNDARY:182:not on record boundary
SSL_R_NO_APPLICATION_PROTOCOL:235:no application protocol
SSL_R_NO_CERTIFICATES_RETURNED:176:no certificates returned SSL_R_NO_CERTIFICATES_RETURNED:176:no certificates returned
SSL_R_NO_CERTIFICATE_ASSIGNED:177:no certificate assigned SSL_R_NO_CERTIFICATE_ASSIGNED:177:no certificate assigned
SSL_R_NO_CERTIFICATE_SET:179:no certificate set SSL_R_NO_CERTIFICATE_SET:179:no certificate set
...@@ -2439,6 +2485,7 @@ SSL_R_NULL_SSL_METHOD_PASSED:196:null ssl method passed ...@@ -2439,6 +2485,7 @@ SSL_R_NULL_SSL_METHOD_PASSED:196:null ssl method passed
SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED:197:old session cipher not returned SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED:197:old session cipher not returned
SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED:344:\ SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED:344:\
old session compression algorithm not returned old session compression algorithm not returned
SSL_R_OVERFLOW_ERROR:237:overflow error
SSL_R_PACKET_LENGTH_TOO_LONG:198:packet length too long SSL_R_PACKET_LENGTH_TOO_LONG:198:packet length too long
SSL_R_PARSE_TLSEXT:227:parse tlsext SSL_R_PARSE_TLSEXT:227:parse tlsext
SSL_R_PATH_TOO_LONG:270:path too long SSL_R_PATH_TOO_LONG:270:path too long
......
include/openssl/sslerr.h
浏览文件 @ f63a17d6
...@@ -26,9 +26,13 @@ int ERR_load_SSL_strings(void); ...@@ -26,9 +26,13 @@ int ERR_load_SSL_strings(void);
# define SSL_F_ADD_KEY_SHARE 512 # define SSL_F_ADD_KEY_SHARE 512
# define SSL_F_BYTES_TO_CIPHER_LIST 519 # define SSL_F_BYTES_TO_CIPHER_LIST 519
# define SSL_F_CHECK_SUITEB_CIPHER_LIST 331 # define SSL_F_CHECK_SUITEB_CIPHER_LIST 331
# define SSL_F_CONSTRUCT_CA_NAMES 552
# define SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS 553
# define SSL_F_CREATE_SYNTHETIC_MESSAGE_HASH 539 # define SSL_F_CREATE_SYNTHETIC_MESSAGE_HASH 539
# define SSL_F_CT_MOVE_SCTS 345 # define SSL_F_CT_MOVE_SCTS 345
# define SSL_F_CT_STRICT 349 # define SSL_F_CT_STRICT 349
# define SSL_F_CUSTOM_EXT_ADD 554
# define SSL_F_CUSTOM_EXT_PARSE 555
# define SSL_F_D2I_SSL_SESSION 103 # define SSL_F_D2I_SSL_SESSION 103
# define SSL_F_DANE_CTX_ENABLE 347 # define SSL_F_DANE_CTX_ENABLE 347
# define SSL_F_DANE_MTYPE_SET 393 # define SSL_F_DANE_MTYPE_SET 393
...@@ -53,11 +57,15 @@ int ERR_load_SSL_strings(void); ...@@ -53,11 +57,15 @@ int ERR_load_SSL_strings(void);
# define SSL_F_DTLS_GET_REASSEMBLED_MESSAGE 370 # define SSL_F_DTLS_GET_REASSEMBLED_MESSAGE 370
# define SSL_F_DTLS_PROCESS_HELLO_VERIFY 386 # define SSL_F_DTLS_PROCESS_HELLO_VERIFY 386
# define SSL_F_EARLY_DATA_COUNT_OK 532 # define SSL_F_EARLY_DATA_COUNT_OK 532
# define SSL_F_FINAL_EARLY_DATA 556
# define SSL_F_FINAL_EC_PT_FORMATS 485 # define SSL_F_FINAL_EC_PT_FORMATS 485
# define SSL_F_FINAL_EMS 486 # define SSL_F_FINAL_EMS 486
# define SSL_F_FINAL_KEY_SHARE 503 # define SSL_F_FINAL_KEY_SHARE 503
# define SSL_F_FINAL_MAXFRAGMENTLEN 557
# define SSL_F_FINAL_RENEGOTIATE 483 # define SSL_F_FINAL_RENEGOTIATE 483
# define SSL_F_FINAL_SERVER_NAME 558
# define SSL_F_FINAL_SIG_ALGS 497 # define SSL_F_FINAL_SIG_ALGS 497
# define SSL_F_GET_CERT_VERIFY_TBS_DATA 588
# define SSL_F_NSS_KEYLOG_INT 500 # define SSL_F_NSS_KEYLOG_INT 500
# define SSL_F_OPENSSL_INIT_SSL 342 # define SSL_F_OPENSSL_INIT_SSL 342
# define SSL_F_OSSL_STATEM_CLIENT13_READ_TRANSITION 436 # define SSL_F_OSSL_STATEM_CLIENT13_READ_TRANSITION 436
...@@ -70,6 +78,7 @@ int ERR_load_SSL_strings(void); ...@@ -70,6 +78,7 @@ int ERR_load_SSL_strings(void);
# define SSL_F_PROCESS_KEY_SHARE_EXT 439 # define SSL_F_PROCESS_KEY_SHARE_EXT 439
# define SSL_F_READ_STATE_MACHINE 352 # define SSL_F_READ_STATE_MACHINE 352
# define SSL_F_SET_CLIENT_CIPHERSUITE 540 # define SSL_F_SET_CLIENT_CIPHERSUITE 540
# define SSL_F_SRP_GENERATE_SERVER_MASTER_SECRET 589
# define SSL_F_SSL3_CHANGE_CIPHER_STATE 129 # define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
# define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130 # define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
# define SSL_F_SSL3_CTRL 213 # define SSL_F_SSL3_CTRL 213
...@@ -77,6 +86,7 @@ int ERR_load_SSL_strings(void); ...@@ -77,6 +86,7 @@ int ERR_load_SSL_strings(void);
# define SSL_F_SSL3_DIGEST_CACHED_RECORDS 293 # define SSL_F_SSL3_DIGEST_CACHED_RECORDS 293
# define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 292 # define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 292
# define SSL_F_SSL3_FINAL_FINISH_MAC 285 # define SSL_F_SSL3_FINAL_FINISH_MAC 285
# define SSL_F_SSL3_FINISH_MAC 587
# define SSL_F_SSL3_GENERATE_KEY_BLOCK 238 # define SSL_F_SSL3_GENERATE_KEY_BLOCK 238
# define SSL_F_SSL3_GENERATE_MASTER_SECRET 388 # define SSL_F_SSL3_GENERATE_MASTER_SECRET 388
# define SSL_F_SSL3_GET_RECORD 143 # define SSL_F_SSL3_GET_RECORD 143
...@@ -145,15 +155,18 @@ int ERR_load_SSL_strings(void); ...@@ -145,15 +155,18 @@ int ERR_load_SSL_strings(void);
# define SSL_F_SSL_CTX_USE_SERVERINFO_FILE 337 # define SSL_F_SSL_CTX_USE_SERVERINFO_FILE 337
# define SSL_F_SSL_DANE_DUP 403 # define SSL_F_SSL_DANE_DUP 403
# define SSL_F_SSL_DANE_ENABLE 395 # define SSL_F_SSL_DANE_ENABLE 395
# define SSL_F_SSL_DERIVE 590
# define SSL_F_SSL_DO_CONFIG 391 # define SSL_F_SSL_DO_CONFIG 391
# define SSL_F_SSL_DO_HANDSHAKE 180 # define SSL_F_SSL_DO_HANDSHAKE 180
# define SSL_F_SSL_DUP_CA_LIST 408 # define SSL_F_SSL_DUP_CA_LIST 408
# define SSL_F_SSL_ENABLE_CT 402 # define SSL_F_SSL_ENABLE_CT 402
# define SSL_F_SSL_GENERATE_PKEY_GROUP 559
# define SSL_F_SSL_GENERATE_SESSION_ID 547 # define SSL_F_SSL_GENERATE_SESSION_ID 547
# define SSL_F_SSL_GET_NEW_SESSION 181 # define SSL_F_SSL_GET_NEW_SESSION 181
# define SSL_F_SSL_GET_PREV_SESSION 217 # define SSL_F_SSL_GET_PREV_SESSION 217
# define SSL_F_SSL_GET_SERVER_CERT_INDEX 322 # define SSL_F_SSL_GET_SERVER_CERT_INDEX 322
# define SSL_F_SSL_GET_SIGN_PKEY 183 # define SSL_F_SSL_GET_SIGN_PKEY 183
# define SSL_F_SSL_HANDSHAKE_HASH 560
# define SSL_F_SSL_INIT_WBIO_BUFFER 184 # define SSL_F_SSL_INIT_WBIO_BUFFER 184
# define SSL_F_SSL_KEY_UPDATE 515 # define SSL_F_SSL_KEY_UPDATE 515
# define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 # define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
...@@ -161,6 +174,7 @@ int ERR_load_SSL_strings(void); ...@@ -161,6 +174,7 @@ int ERR_load_SSL_strings(void);
# define SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE 499 # define SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE 499
# define SSL_F_SSL_MODULE_INIT 392 # define SSL_F_SSL_MODULE_INIT 392
# define SSL_F_SSL_NEW 186 # define SSL_F_SSL_NEW 186
# define SSL_F_SSL_NEXT_PROTO_VALIDATE 565
# define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300 # define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300
# define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302 # define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302
# define SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT 310 # define SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT 310
...@@ -221,6 +235,8 @@ int ERR_load_SSL_strings(void); ...@@ -221,6 +235,8 @@ int ERR_load_SSL_strings(void);
# define SSL_F_TLS12_CHECK_PEER_SIGALG 333 # define SSL_F_TLS12_CHECK_PEER_SIGALG 333
# define SSL_F_TLS12_COPY_SIGALGS 533 # define SSL_F_TLS12_COPY_SIGALGS 533
# define SSL_F_TLS13_CHANGE_CIPHER_STATE 440 # define SSL_F_TLS13_CHANGE_CIPHER_STATE 440
# define SSL_F_TLS13_GENERATE_SECRET 591
# define SSL_F_TLS13_HKDF_EXPAND 561
# define SSL_F_TLS13_SETUP_KEY_BLOCK 441 # define SSL_F_TLS13_SETUP_KEY_BLOCK 441
# define SSL_F_TLS1_CHANGE_CIPHER_STATE 209 # define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
# define SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS 341 # define SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS 341
...@@ -311,17 +327,40 @@ int ERR_load_SSL_strings(void); ...@@ -311,17 +327,40 @@ int ERR_load_SSL_strings(void);
# define SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO 521 # define SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO 521
# define SSL_F_TLS_GET_MESSAGE_BODY 351 # define SSL_F_TLS_GET_MESSAGE_BODY 351
# define SSL_F_TLS_GET_MESSAGE_HEADER 387 # define SSL_F_TLS_GET_MESSAGE_HEADER 387
# define SSL_F_TLS_HANDLE_ALPN 562
# define SSL_F_TLS_HANDLE_STATUS_REQUEST 563
# define SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES 566
# define SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT 449 # define SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT 449
# define SSL_F_TLS_PARSE_CTOS_ALPN 567
# define SSL_F_TLS_PARSE_CTOS_EARLY_DATA 568
# define SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS 569
# define SSL_F_TLS_PARSE_CTOS_EMS 570
# define SSL_F_TLS_PARSE_CTOS_KEY_SHARE 463 # define SSL_F_TLS_PARSE_CTOS_KEY_SHARE 463
# define SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN 571
# define SSL_F_TLS_PARSE_CTOS_PSK 505 # define SSL_F_TLS_PARSE_CTOS_PSK 505
# define SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES 572
# define SSL_F_TLS_PARSE_CTOS_RENEGOTIATE 464 # define SSL_F_TLS_PARSE_CTOS_RENEGOTIATE 464
# define SSL_F_TLS_PARSE_CTOS_SERVER_NAME 573
# define SSL_F_TLS_PARSE_CTOS_SESSION_TICKET 574
# define SSL_F_TLS_PARSE_CTOS_SIG_ALGS 575
# define SSL_F_TLS_PARSE_CTOS_SRP 576
# define SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST 577
# define SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS 578
# define SSL_F_TLS_PARSE_CTOS_USE_SRTP 465 # define SSL_F_TLS_PARSE_CTOS_USE_SRTP 465
# define SSL_F_TLS_PARSE_STOC_ALPN 579
# define SSL_F_TLS_PARSE_STOC_COOKIE 534 # define SSL_F_TLS_PARSE_STOC_COOKIE 534
# define SSL_F_TLS_PARSE_STOC_EARLY_DATA 538 # define SSL_F_TLS_PARSE_STOC_EARLY_DATA 538
# define SSL_F_TLS_PARSE_STOC_EARLY_DATA_INFO 528 # define SSL_F_TLS_PARSE_STOC_EARLY_DATA_INFO 528
# define SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS 580
# define SSL_F_TLS_PARSE_STOC_KEY_SHARE 445 # define SSL_F_TLS_PARSE_STOC_KEY_SHARE 445
# define SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN 581
# define SSL_F_TLS_PARSE_STOC_NPN 582
# define SSL_F_TLS_PARSE_STOC_PSK 502 # define SSL_F_TLS_PARSE_STOC_PSK 502
# define SSL_F_TLS_PARSE_STOC_RENEGOTIATE 448 # define SSL_F_TLS_PARSE_STOC_RENEGOTIATE 448
# define SSL_F_TLS_PARSE_STOC_SCT 564
# define SSL_F_TLS_PARSE_STOC_SERVER_NAME 583
# define SSL_F_TLS_PARSE_STOC_SESSION_TICKET 584
# define SSL_F_TLS_PARSE_STOC_STATUS_REQUEST 585
# define SSL_F_TLS_PARSE_STOC_USE_SRTP 446 # define SSL_F_TLS_PARSE_STOC_USE_SRTP 446
# define SSL_F_TLS_POST_PROCESS_CLIENT_HELLO 378 # define SSL_F_TLS_POST_PROCESS_CLIENT_HELLO 378
# define SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE 384 # define SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE 384
...@@ -361,6 +400,7 @@ int ERR_load_SSL_strings(void); ...@@ -361,6 +400,7 @@ int ERR_load_SSL_strings(void);
# define SSL_F_TLS_SCAN_CLIENTHELLO_TLSEXT 450 # define SSL_F_TLS_SCAN_CLIENTHELLO_TLSEXT 450
# define SSL_F_TLS_SETUP_HANDSHAKE 508 # define SSL_F_TLS_SETUP_HANDSHAKE 508
# define SSL_F_USE_CERTIFICATE_CHAIN_FILE 220 # define SSL_F_USE_CERTIFICATE_CHAIN_FILE 220
# define SSL_F_WRITE_STATE_MACHINE 586
/* /*
* SSL reason codes. * SSL reason codes.
...@@ -376,14 +416,17 @@ int ERR_load_SSL_strings(void); ...@@ -376,14 +416,17 @@ int ERR_load_SSL_strings(void);
# define SSL_R_BAD_DECOMPRESSION 107 # define SSL_R_BAD_DECOMPRESSION 107
# define SSL_R_BAD_DH_VALUE 102 # define SSL_R_BAD_DH_VALUE 102
# define SSL_R_BAD_DIGEST_LENGTH 111 # define SSL_R_BAD_DIGEST_LENGTH 111
# define SSL_R_BAD_EARLY_DATA 233
# define SSL_R_BAD_ECC_CERT 304 # define SSL_R_BAD_ECC_CERT 304
# define SSL_R_BAD_ECPOINT 306 # define SSL_R_BAD_ECPOINT 306
# define SSL_R_BAD_EXTENSION 110 # define SSL_R_BAD_EXTENSION 110
# define SSL_R_BAD_HANDSHAKE_LENGTH 332 # define SSL_R_BAD_HANDSHAKE_LENGTH 332
# define SSL_R_BAD_HANDSHAKE_STATE 236
# define SSL_R_BAD_HELLO_REQUEST 105 # define SSL_R_BAD_HELLO_REQUEST 105
# define SSL_R_BAD_KEY_SHARE 108 # define SSL_R_BAD_KEY_SHARE 108
# define SSL_R_BAD_KEY_UPDATE 122 # define SSL_R_BAD_KEY_UPDATE 122
# define SSL_R_BAD_LENGTH 271 # define SSL_R_BAD_LENGTH 271
# define SSL_R_BAD_PACKET 240
# define SSL_R_BAD_PACKET_LENGTH 115 # define SSL_R_BAD_PACKET_LENGTH 115
# define SSL_R_BAD_PROTOCOL_VERSION_NUMBER 116 # define SSL_R_BAD_PROTOCOL_VERSION_NUMBER 116
# define SSL_R_BAD_PSK 219 # define SSL_R_BAD_PSK 219
...@@ -401,6 +444,7 @@ int ERR_load_SSL_strings(void); ...@@ -401,6 +444,7 @@ int ERR_load_SSL_strings(void);
# define SSL_R_BIO_NOT_SET 128 # define SSL_R_BIO_NOT_SET 128
# define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129 # define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129
# define SSL_R_BN_LIB 130 # define SSL_R_BN_LIB 130
# define SSL_R_CALLBACK_FAILED 234
# define SSL_R_CANNOT_CHANGE_CIPHER 109 # define SSL_R_CANNOT_CHANGE_CIPHER 109
# define SSL_R_CA_DN_LENGTH_MISMATCH 131 # define SSL_R_CA_DN_LENGTH_MISMATCH 131
# define SSL_R_CA_KEY_TOO_SMALL 397 # define SSL_R_CA_KEY_TOO_SMALL 397
...@@ -467,6 +511,7 @@ int ERR_load_SSL_strings(void); ...@@ -467,6 +511,7 @@ int ERR_load_SSL_strings(void);
# define SSL_R_INCONSISTENT_EARLY_DATA_SNI 231 # define SSL_R_INCONSISTENT_EARLY_DATA_SNI 231
# define SSL_R_INCONSISTENT_EXTMS 104 # define SSL_R_INCONSISTENT_EXTMS 104
# define SSL_R_INVALID_ALERT 205 # define SSL_R_INVALID_ALERT 205
# define SSL_R_INVALID_CERTIFICATE_OR_ALG 238
# define SSL_R_INVALID_COMMAND 280 # define SSL_R_INVALID_COMMAND 280
# define SSL_R_INVALID_COMPRESSION_ALGORITHM 341 # define SSL_R_INVALID_COMPRESSION_ALGORITHM 341
# define SSL_R_INVALID_CONFIGURATION_NAME 113 # define SSL_R_INVALID_CONFIGURATION_NAME 113
...@@ -496,6 +541,7 @@ int ERR_load_SSL_strings(void); ...@@ -496,6 +541,7 @@ int ERR_load_SSL_strings(void);
# define SSL_R_MISSING_TMP_DH_KEY 171 # define SSL_R_MISSING_TMP_DH_KEY 171
# define SSL_R_MISSING_TMP_ECDH_KEY 311 # define SSL_R_MISSING_TMP_ECDH_KEY 311
# define SSL_R_NOT_ON_RECORD_BOUNDARY 182 # define SSL_R_NOT_ON_RECORD_BOUNDARY 182
# define SSL_R_NO_APPLICATION_PROTOCOL 235
# define SSL_R_NO_CERTIFICATES_RETURNED 176 # define SSL_R_NO_CERTIFICATES_RETURNED 176
# define SSL_R_NO_CERTIFICATE_ASSIGNED 177 # define SSL_R_NO_CERTIFICATE_ASSIGNED 177
# define SSL_R_NO_CERTIFICATE_SET 179 # define SSL_R_NO_CERTIFICATE_SET 179
...@@ -524,6 +570,7 @@ int ERR_load_SSL_strings(void); ...@@ -524,6 +570,7 @@ int ERR_load_SSL_strings(void);
# define SSL_R_NULL_SSL_METHOD_PASSED 196 # define SSL_R_NULL_SSL_METHOD_PASSED 196
# define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 # define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
# define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344 # define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344
# define SSL_R_OVERFLOW_ERROR 237
# define SSL_R_PACKET_LENGTH_TOO_LONG 198 # define SSL_R_PACKET_LENGTH_TOO_LONG 198
# define SSL_R_PARSE_TLSEXT 227 # define SSL_R_PARSE_TLSEXT 227
# define SSL_R_PATH_TOO_LONG 270 # define SSL_R_PATH_TOO_LONG 270
......
ssl/record/ssl3_buffer.c
浏览文件 @ f63a17d6
...@@ -116,7 +116,9 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len) ...@@ -116,7 +116,9 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len)
p = OPENSSL_malloc(len); p = OPENSSL_malloc(len);
if (p == NULL) { if (p == NULL) {
s->rlayer.numwpipes = currpipe; s->rlayer.numwpipes = currpipe;
goto err; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_SSL3_SETUP_WRITE_BUFFER, ERR_R_MALLOC_FAILURE);
return 0;
} }
memset(thiswb, 0, sizeof(SSL3_BUFFER)); memset(thiswb, 0, sizeof(SSL3_BUFFER));
thiswb->buf = p; thiswb->buf = p;
...@@ -125,18 +127,16 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len) ...@@ -125,18 +127,16 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len)
} }
return 1; return 1;
err:
SSLerr(SSL_F_SSL3_SETUP_WRITE_BUFFER, ERR_R_MALLOC_FAILURE);
return 0;
} }
int ssl3_setup_buffers(SSL *s) int ssl3_setup_buffers(SSL *s)
{ {
if (!ssl3_setup_read_buffer(s)) if (!ssl3_setup_read_buffer(s))
return 0; return 0;
if (!ssl3_setup_write_buffer(s, 1, 0)) if (!ssl3_setup_write_buffer(s, 1, 0)) {
/* SSLfatal() already called */
return 0; return 0;
}
return 1; return 1;
} }
......
ssl/s3_enc.c
浏览文件 @ f63a17d6
...@@ -96,8 +96,9 @@ int ssl3_change_cipher_state(SSL *s, int which) ...@@ -96,8 +96,9 @@ int ssl3_change_cipher_state(SSL *s, int which)
m = s->s3->tmp.new_hash; m = s->s3->tmp.new_hash;
/* m == NULL will lead to a crash later */ /* m == NULL will lead to a crash later */
if (!ossl_assert(m != NULL)) { if (!ossl_assert(m != NULL)) {
SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE,
goto err2; ERR_R_INTERNAL_ERROR);
goto err;
} }
#ifndef OPENSSL_NO_COMP #ifndef OPENSSL_NO_COMP
if (s->s3->tmp.new_compression == NULL) if (s->s3->tmp.new_compression == NULL)
...@@ -107,20 +108,24 @@ int ssl3_change_cipher_state(SSL *s, int which) ...@@ -107,20 +108,24 @@ int ssl3_change_cipher_state(SSL *s, int which)
#endif #endif
if (which & SSL3_CC_READ) { if (which & SSL3_CC_READ) {
if (s->enc_read_ctx != NULL) if (s->enc_read_ctx != NULL) {
reuse_dd = 1; reuse_dd = 1;
else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE,
ERR_R_MALLOC_FAILURE);
goto err; goto err;
else } else {
/* /*
* make sure it's initialised in case we exit later with an error * make sure it's initialised in case we exit later with an error
*/ */
EVP_CIPHER_CTX_reset(s->enc_read_ctx); EVP_CIPHER_CTX_reset(s->enc_read_ctx);
}
dd = s->enc_read_ctx; dd = s->enc_read_ctx;
if (ssl_replace_hash(&s->read_hash, m) == NULL) { if (ssl_replace_hash(&s->read_hash, m) == NULL) {
SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE,
goto err2; ERR_R_INTERNAL_ERROR);
goto err;
} }
#ifndef OPENSSL_NO_COMP #ifndef OPENSSL_NO_COMP
/* COMPRESS */ /* COMPRESS */
...@@ -129,28 +134,33 @@ int ssl3_change_cipher_state(SSL *s, int which) ...@@ -129,28 +134,33 @@ int ssl3_change_cipher_state(SSL *s, int which)
if (comp != NULL) { if (comp != NULL) {
s->expand = COMP_CTX_new(comp); s->expand = COMP_CTX_new(comp);
if (s->expand == NULL) { if (s->expand == NULL) {
SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_SSL3_CHANGE_CIPHER_STATE,
SSL_R_COMPRESSION_LIBRARY_ERROR); SSL_R_COMPRESSION_LIBRARY_ERROR);
goto err2; goto err;
} }
} }
#endif #endif
RECORD_LAYER_reset_read_sequence(&s->rlayer); RECORD_LAYER_reset_read_sequence(&s->rlayer);
mac_secret = &(s->s3->read_mac_secret[0]); mac_secret = &(s->s3->read_mac_secret[0]);
} else { } else {
if (s->enc_write_ctx != NULL) if (s->enc_write_ctx != NULL) {
reuse_dd = 1; reuse_dd = 1;
else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE,
ERR_R_MALLOC_FAILURE);
goto err; goto err;
else } else {
/* /*
* make sure it's initialised in case we exit later with an error * make sure it's initialised in case we exit later with an error
*/ */
EVP_CIPHER_CTX_reset(s->enc_write_ctx); EVP_CIPHER_CTX_reset(s->enc_write_ctx);
}
dd = s->enc_write_ctx; dd = s->enc_write_ctx;
if (ssl_replace_hash(&s->write_hash, m) == NULL) { if (ssl_replace_hash(&s->write_hash, m) == NULL) {
SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE,
goto err2; ERR_R_MALLOC_FAILURE);
goto err;
} }
#ifndef OPENSSL_NO_COMP #ifndef OPENSSL_NO_COMP
/* COMPRESS */ /* COMPRESS */
...@@ -159,9 +169,10 @@ int ssl3_change_cipher_state(SSL *s, int which) ...@@ -159,9 +169,10 @@ int ssl3_change_cipher_state(SSL *s, int which)
if (comp != NULL) { if (comp != NULL) {
s->compress = COMP_CTX_new(comp); s->compress = COMP_CTX_new(comp);
if (s->compress == NULL) { if (s->compress == NULL) {
SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_SSL3_CHANGE_CIPHER_STATE,
SSL_R_COMPRESSION_LIBRARY_ERROR); SSL_R_COMPRESSION_LIBRARY_ERROR);
goto err2; goto err;
} }
} }
#endif #endif
...@@ -174,8 +185,11 @@ int ssl3_change_cipher_state(SSL *s, int which) ...@@ -174,8 +185,11 @@ int ssl3_change_cipher_state(SSL *s, int which)
p = s->s3->tmp.key_block; p = s->s3->tmp.key_block;
mdi = EVP_MD_size(m); mdi = EVP_MD_size(m);
if (mdi < 0) if (mdi < 0) {
goto err2; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE,
ERR_R_INTERNAL_ERROR);
goto err;
}
i = mdi; i = mdi;
cl = EVP_CIPHER_key_length(c); cl = EVP_CIPHER_key_length(c);
j = cl; j = cl;
...@@ -199,21 +213,23 @@ int ssl3_change_cipher_state(SSL *s, int which) ...@@ -199,21 +213,23 @@ int ssl3_change_cipher_state(SSL *s, int which)
} }
if (n > s->s3->tmp.key_block_length) { if (n > s->s3->tmp.key_block_length) {
SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE,
goto err2; ERR_R_INTERNAL_ERROR);
goto err;
} }
memcpy(mac_secret, ms, i); memcpy(mac_secret, ms, i);
if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) {
goto err2; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE,
ERR_R_INTERNAL_ERROR);
goto err;
}
OPENSSL_cleanse(exp_key, sizeof(exp_key)); OPENSSL_cleanse(exp_key, sizeof(exp_key));
OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); OPENSSL_cleanse(exp_iv, sizeof(exp_iv));
return 1; return 1;
err: err:
SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
err2:
OPENSSL_cleanse(exp_key, sizeof(exp_key)); OPENSSL_cleanse(exp_key, sizeof(exp_key));
OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); OPENSSL_cleanse(exp_iv, sizeof(exp_iv));
return 0; return 0;
...@@ -232,7 +248,8 @@ int ssl3_setup_key_block(SSL *s) ...@@ -232,7 +248,8 @@ int ssl3_setup_key_block(SSL *s)
return 1; return 1;
if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp, 0)) { if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp, 0)) {
SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_SETUP_KEY_BLOCK,
SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
return 0; return 0;
} }
...@@ -253,8 +270,11 @@ int ssl3_setup_key_block(SSL *s) ...@@ -253,8 +270,11 @@ int ssl3_setup_key_block(SSL *s)
ssl3_cleanup_key_block(s); ssl3_cleanup_key_block(s);
if ((p = OPENSSL_malloc(num)) == NULL) if ((p = OPENSSL_malloc(num)) == NULL) {
goto err; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_SETUP_KEY_BLOCK,
ERR_R_MALLOC_FAILURE);
return 0;
}
s->s3->tmp.key_block_length = num; s->s3->tmp.key_block_length = num;
s->s3->tmp.key_block = p; s->s3->tmp.key_block = p;
...@@ -280,10 +300,6 @@ int ssl3_setup_key_block(SSL *s) ...@@ -280,10 +300,6 @@ int ssl3_setup_key_block(SSL *s)
} }
return ret; return ret;
err:
SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
return 0;
} }
void ssl3_cleanup_key_block(SSL *s) void ssl3_cleanup_key_block(SSL *s)
...@@ -323,16 +339,30 @@ void ssl3_free_digest_list(SSL *s) ...@@ -323,16 +339,30 @@ void ssl3_free_digest_list(SSL *s)
int ssl3_finish_mac(SSL *s, const unsigned char *buf, size_t len) int ssl3_finish_mac(SSL *s, const unsigned char *buf, size_t len)
{ {
if (s->s3->handshake_dgst == NULL) {
int ret; int ret;
if (s->s3->handshake_dgst == NULL) {
/* Note: this writes to a memory BIO so a failure is a fatal error */ /* Note: this writes to a memory BIO so a failure is a fatal error */
if (len > INT_MAX) if (len > INT_MAX) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC,
SSL_R_OVERFLOW_ERROR);
return 0; return 0;
}
ret = BIO_write(s->s3->handshake_buffer, (void *)buf, (int)len); ret = BIO_write(s->s3->handshake_buffer, (void *)buf, (int)len);
return ret > 0 && ret == (int)len; if (ret <= 0 || ret != (int)len) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC,
ERR_R_INTERNAL_ERROR);
return 0;
}
} else { } else {
return EVP_DigestUpdate(s->s3->handshake_dgst, buf, len); ret = EVP_DigestUpdate(s->s3->handshake_dgst, buf, len);
if (!ret) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC,
ERR_R_INTERNAL_ERROR);
return 0;
} }
}
return 1;
} }
int ssl3_digest_cached_records(SSL *s, int keep) int ssl3_digest_cached_records(SSL *s, int keep)
...@@ -344,21 +374,23 @@ int ssl3_digest_cached_records(SSL *s, int keep) ...@@ -344,21 +374,23 @@ int ssl3_digest_cached_records(SSL *s, int keep)
if (s->s3->handshake_dgst == NULL) { if (s->s3->handshake_dgst == NULL) {
hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
if (hdatalen <= 0) { if (hdatalen <= 0) {
SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS,
SSL_R_BAD_HANDSHAKE_LENGTH); SSL_R_BAD_HANDSHAKE_LENGTH);
return 0; return 0;
} }
s->s3->handshake_dgst = EVP_MD_CTX_new(); s->s3->handshake_dgst = EVP_MD_CTX_new();
if (s->s3->handshake_dgst == NULL) { if (s->s3->handshake_dgst == NULL) {
SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS,
ERR_R_MALLOC_FAILURE);
return 0; return 0;
} }
md = ssl_handshake_md(s); md = ssl_handshake_md(s);
if (md == NULL || !EVP_DigestInit_ex(s->s3->handshake_dgst, md, NULL) if (md == NULL || !EVP_DigestInit_ex(s->s3->handshake_dgst, md, NULL)
|| !EVP_DigestUpdate(s->s3->handshake_dgst, hdata, hdatalen)) { || !EVP_DigestUpdate(s->s3->handshake_dgst, hdata, hdatalen)) {
SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
} }
...@@ -435,7 +467,8 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, ...@@ -435,7 +467,8 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
size_t ret_secret_size = 0; size_t ret_secret_size = 0;
if (ctx == NULL) { if (ctx == NULL) {
SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_MASTER_SECRET,
ERR_R_MALLOC_FAILURE);
return 0; return 0;
} }
for (i = 0; i < 3; i++) { for (i = 0; i < 3; i++) {
...@@ -453,7 +486,8 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, ...@@ -453,7 +486,8 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
|| EVP_DigestUpdate(ctx, p, len) <= 0 || EVP_DigestUpdate(ctx, p, len) <= 0
|| EVP_DigestUpdate(ctx, buf, n) <= 0 || EVP_DigestUpdate(ctx, buf, n) <= 0
|| EVP_DigestFinal_ex(ctx, out, &n) <= 0) { || EVP_DigestFinal_ex(ctx, out, &n) <= 0) {
SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR);
ret = 0; ret = 0;
break; break;
} }
......
ssl/s3_lib.c
浏览文件 @ f63a17d6
...@@ -4590,8 +4590,10 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, ...@@ -4590,8 +4590,10 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
s->s3->tmp.psk = NULL; s->s3->tmp.psk = NULL;
if (!s->method->ssl3_enc->generate_master_secret(s, if (!s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key,pskpms, pskpmslen, s->session->master_key,pskpms, pskpmslen,
&s->session->master_key_length)) &s->session->master_key_length)) {
/* SSLfatal() already called */
goto err; goto err;
}
OPENSSL_clear_free(pskpms, pskpmslen); OPENSSL_clear_free(pskpms, pskpmslen);
#else #else
/* Should never happen */ /* Should never happen */
...@@ -4600,9 +4602,11 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, ...@@ -4600,9 +4602,11 @@ int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
} else { } else {
if (!s->method->ssl3_enc->generate_master_secret(s, if (!s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key, pms, pmslen, s->session->master_key, pms, pmslen,
&s->session->master_key_length)) &s->session->master_key_length)) {
/* SSLfatal() already called */
goto err; goto err;
} }
}
ret = 1; ret = 1;
err: err:
...@@ -4641,28 +4645,42 @@ EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm) ...@@ -4641,28 +4645,42 @@ EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm)
} }
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
/* Generate a private key from a group ID */ /* Generate a private key from a group ID */
EVP_PKEY *ssl_generate_pkey_group(uint16_t id) EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id)
{ {
EVP_PKEY_CTX *pctx = NULL; EVP_PKEY_CTX *pctx = NULL;
EVP_PKEY *pkey = NULL; EVP_PKEY *pkey = NULL;
const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id); const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id);
uint16_t gtype; uint16_t gtype;
if (ginf == NULL) if (ginf == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
}
gtype = ginf->flags & TLS_CURVE_TYPE; gtype = ginf->flags & TLS_CURVE_TYPE;
if (gtype == TLS_CURVE_CUSTOM) if (gtype == TLS_CURVE_CUSTOM)
pctx = EVP_PKEY_CTX_new_id(ginf->nid, NULL); pctx = EVP_PKEY_CTX_new_id(ginf->nid, NULL);
else else
pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
if (pctx == NULL) if (pctx == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
ERR_R_MALLOC_FAILURE);
goto err; goto err;
if (EVP_PKEY_keygen_init(pctx) <= 0) }
if (EVP_PKEY_keygen_init(pctx) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
ERR_R_EVP_LIB);
goto err; goto err;
}
if (gtype != TLS_CURVE_CUSTOM if (gtype != TLS_CURVE_CUSTOM
&& EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) && EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
ERR_R_EVP_LIB);
goto err; goto err;
}
if (EVP_PKEY_keygen(pctx, &pkey) <= 0) { if (EVP_PKEY_keygen(pctx, &pkey) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
ERR_R_EVP_LIB);
EVP_PKEY_free(pkey); EVP_PKEY_free(pkey);
pkey = NULL; pkey = NULL;
} }
...@@ -4718,25 +4736,37 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret) ...@@ -4718,25 +4736,37 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret)
size_t pmslen = 0; size_t pmslen = 0;
EVP_PKEY_CTX *pctx; EVP_PKEY_CTX *pctx;
if (privkey == NULL || pubkey == NULL) if (privkey == NULL || pubkey == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
}
pctx = EVP_PKEY_CTX_new(privkey, NULL); pctx = EVP_PKEY_CTX_new(privkey, NULL);
if (EVP_PKEY_derive_init(pctx) <= 0 if (EVP_PKEY_derive_init(pctx) <= 0
|| EVP_PKEY_derive_set_peer(pctx, pubkey) <= 0 || EVP_PKEY_derive_set_peer(pctx, pubkey) <= 0
|| EVP_PKEY_derive(pctx, NULL, &pmslen) <= 0) { || EVP_PKEY_derive(pctx, NULL, &pmslen) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
pms = OPENSSL_malloc(pmslen); pms = OPENSSL_malloc(pmslen);
if (pms == NULL) if (pms == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE,
ERR_R_MALLOC_FAILURE);
goto err; goto err;
}
if (EVP_PKEY_derive(pctx, pms, &pmslen) <= 0) if (EVP_PKEY_derive(pctx, pms, &pmslen) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
}
if (gensecret) { if (gensecret) {
/* SSLfatal() called as appropriate in the below functions */
if (SSL_IS_TLS13(s)) { if (SSL_IS_TLS13(s)) {
/* /*
* If we are resuming then we already generated the early secret * If we are resuming then we already generated the early secret
......
ssl/ssl_err.c
浏览文件 @ f63a17d6
...@@ -20,10 +20,15 @@ static const ERR_STRING_DATA SSL_str_functs[] = { ...@@ -20,10 +20,15 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
"bytes_to_cipher_list"}, "bytes_to_cipher_list"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_CHECK_SUITEB_CIPHER_LIST, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_CHECK_SUITEB_CIPHER_LIST, 0),
"check_suiteb_cipher_list"}, "check_suiteb_cipher_list"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_CONSTRUCT_CA_NAMES, 0), "construct_ca_names"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS, 0),
"construct_key_exchange_tbs"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_CREATE_SYNTHETIC_MESSAGE_HASH, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_CREATE_SYNTHETIC_MESSAGE_HASH, 0),
"create_synthetic_message_hash"}, "create_synthetic_message_hash"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_CT_MOVE_SCTS, 0), "ct_move_scts"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_CT_MOVE_SCTS, 0), "ct_move_scts"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_CT_STRICT, 0), "ct_strict"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_CT_STRICT, 0), "ct_strict"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_CUSTOM_EXT_ADD, 0), "custom_ext_add"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_CUSTOM_EXT_PARSE, 0), "custom_ext_parse"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_D2I_SSL_SESSION, 0), "d2i_SSL_SESSION"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_D2I_SSL_SESSION, 0), "d2i_SSL_SESSION"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_DANE_CTX_ENABLE, 0), "dane_ctx_enable"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_DANE_CTX_ENABLE, 0), "dane_ctx_enable"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_DANE_MTYPE_SET, 0), "dane_mtype_set"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_DANE_MTYPE_SET, 0), "dane_mtype_set"},
...@@ -61,12 +66,18 @@ static const ERR_STRING_DATA SSL_str_functs[] = { ...@@ -61,12 +66,18 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
"dtls_process_hello_verify"}, "dtls_process_hello_verify"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_EARLY_DATA_COUNT_OK, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_EARLY_DATA_COUNT_OK, 0),
"early_data_count_ok"}, "early_data_count_ok"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_EARLY_DATA, 0), "final_early_data"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_EC_PT_FORMATS, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_EC_PT_FORMATS, 0),
"final_ec_pt_formats"}, "final_ec_pt_formats"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_EMS, 0), "final_ems"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_EMS, 0), "final_ems"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_KEY_SHARE, 0), "final_key_share"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_KEY_SHARE, 0), "final_key_share"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_MAXFRAGMENTLEN, 0),
"final_maxfragmentlen"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_RENEGOTIATE, 0), "final_renegotiate"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_RENEGOTIATE, 0), "final_renegotiate"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_SERVER_NAME, 0), "final_server_name"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_SIG_ALGS, 0), "final_sig_algs"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_FINAL_SIG_ALGS, 0), "final_sig_algs"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_GET_CERT_VERIFY_TBS_DATA, 0),
"get_cert_verify_tbs_data"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_NSS_KEYLOG_INT, 0), "nss_keylog_int"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_NSS_KEYLOG_INT, 0), "nss_keylog_int"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_OPENSSL_INIT_SSL, 0), "OPENSSL_init_ssl"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_OPENSSL_INIT_SSL, 0), "OPENSSL_init_ssl"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_CLIENT13_READ_TRANSITION, 0), ""}, {ERR_PACK(ERR_LIB_SSL, SSL_F_OSSL_STATEM_CLIENT13_READ_TRANSITION, 0), ""},
...@@ -82,6 +93,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = { ...@@ -82,6 +93,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
{ERR_PACK(ERR_LIB_SSL, SSL_F_READ_STATE_MACHINE, 0), "read_state_machine"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_READ_STATE_MACHINE, 0), "read_state_machine"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SET_CLIENT_CIPHERSUITE, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_SET_CLIENT_CIPHERSUITE, 0),
"set_client_ciphersuite"}, "set_client_ciphersuite"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SRP_GENERATE_SERVER_MASTER_SECRET, 0),
"srp_generate_server_master_secret"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_CHANGE_CIPHER_STATE, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_CHANGE_CIPHER_STATE, 0),
"ssl3_change_cipher_state"}, "ssl3_change_cipher_state"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 0),
...@@ -94,6 +107,7 @@ static const ERR_STRING_DATA SSL_str_functs[] = { ...@@ -94,6 +107,7 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
"ssl3_do_change_cipher_spec"}, "ssl3_do_change_cipher_spec"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_FINAL_FINISH_MAC, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_FINAL_FINISH_MAC, 0),
"ssl3_final_finish_mac"}, "ssl3_final_finish_mac"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_FINISH_MAC, 0), "ssl3_finish_mac"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GENERATE_KEY_BLOCK, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GENERATE_KEY_BLOCK, 0),
"ssl3_generate_key_block"}, "ssl3_generate_key_block"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GENERATE_MASTER_SECRET, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GENERATE_MASTER_SECRET, 0),
...@@ -206,10 +220,13 @@ static const ERR_STRING_DATA SSL_str_functs[] = { ...@@ -206,10 +220,13 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
"SSL_CTX_use_serverinfo_file"}, "SSL_CTX_use_serverinfo_file"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DANE_DUP, 0), "ssl_dane_dup"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DANE_DUP, 0), "ssl_dane_dup"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DANE_ENABLE, 0), "SSL_dane_enable"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DANE_ENABLE, 0), "SSL_dane_enable"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DERIVE, 0), "ssl_derive"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DO_CONFIG, 0), "ssl_do_config"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DO_CONFIG, 0), "ssl_do_config"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DO_HANDSHAKE, 0), "SSL_do_handshake"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DO_HANDSHAKE, 0), "SSL_do_handshake"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DUP_CA_LIST, 0), "SSL_dup_CA_list"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_DUP_CA_LIST, 0), "SSL_dup_CA_list"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ENABLE_CT, 0), "SSL_enable_ct"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_ENABLE_CT, 0), "SSL_enable_ct"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_GENERATE_PKEY_GROUP, 0),
"ssl_generate_pkey_group"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_GENERATE_SESSION_ID, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_GENERATE_SESSION_ID, 0),
"ssl_generate_session_id"}, "ssl_generate_session_id"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_GET_NEW_SESSION, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_GET_NEW_SESSION, 0),
...@@ -218,6 +235,7 @@ static const ERR_STRING_DATA SSL_str_functs[] = { ...@@ -218,6 +235,7 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
"ssl_get_prev_session"}, "ssl_get_prev_session"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_GET_SERVER_CERT_INDEX, 0), ""}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_GET_SERVER_CERT_INDEX, 0), ""},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_GET_SIGN_PKEY, 0), ""}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_GET_SIGN_PKEY, 0), ""},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_HANDSHAKE_HASH, 0), "ssl_handshake_hash"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_INIT_WBIO_BUFFER, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_INIT_WBIO_BUFFER, 0),
"ssl_init_wbio_buffer"}, "ssl_init_wbio_buffer"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_KEY_UPDATE, 0), "SSL_key_update"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_KEY_UPDATE, 0), "SSL_key_update"},
...@@ -228,6 +246,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = { ...@@ -228,6 +246,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
"ssl_log_rsa_client_key_exchange"}, "ssl_log_rsa_client_key_exchange"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_MODULE_INIT, 0), "ssl_module_init"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_MODULE_INIT, 0), "ssl_module_init"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_NEW, 0), "SSL_new"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_NEW, 0), "SSL_new"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_NEXT_PROTO_VALIDATE, 0),
"ssl_next_proto_validate"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, 0), ""}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, 0), ""},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 0), ""}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, 0), ""},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, 0), ""}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, 0), ""},
...@@ -315,6 +335,9 @@ static const ERR_STRING_DATA SSL_str_functs[] = { ...@@ -315,6 +335,9 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS12_COPY_SIGALGS, 0), "tls12_copy_sigalgs"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS12_COPY_SIGALGS, 0), "tls12_copy_sigalgs"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_CHANGE_CIPHER_STATE, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_CHANGE_CIPHER_STATE, 0),
"tls13_change_cipher_state"}, "tls13_change_cipher_state"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_GENERATE_SECRET, 0),
"tls13_generate_secret"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_HKDF_EXPAND, 0), "tls13_hkdf_expand"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_SETUP_KEY_BLOCK, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_SETUP_KEY_BLOCK, 0),
"tls13_setup_key_block"}, "tls13_setup_key_block"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS1_CHANGE_CIPHER_STATE, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS1_CHANGE_CIPHER_STATE, 0),
...@@ -478,24 +501,65 @@ static const ERR_STRING_DATA SSL_str_functs[] = { ...@@ -478,24 +501,65 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
"tls_get_message_body"}, "tls_get_message_body"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_GET_MESSAGE_HEADER, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_GET_MESSAGE_HEADER, 0),
"tls_get_message_header"}, "tls_get_message_header"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_HANDLE_ALPN, 0), "tls_handle_alpn"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_HANDLE_STATUS_REQUEST, 0),
"tls_handle_status_request"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES, 0),
"tls_parse_certificate_authorities"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT, 0), ""}, {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CLIENTHELLO_TLSEXT, 0), ""},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_ALPN, 0),
"tls_parse_ctos_alpn"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_EARLY_DATA, 0),
"tls_parse_ctos_early_data"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, 0),
"tls_parse_ctos_ec_pt_formats"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_EMS, 0), "tls_parse_ctos_ems"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_KEY_SHARE, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_KEY_SHARE, 0),
"tls_parse_ctos_key_share"}, "tls_parse_ctos_key_share"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN, 0),
"tls_parse_ctos_maxfragmentlen"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_PSK, 0), "tls_parse_ctos_psk"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_PSK, 0), "tls_parse_ctos_psk"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES, 0),
"tls_parse_ctos_psk_kex_modes"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE, 0),
"tls_parse_ctos_renegotiate"}, "tls_parse_ctos_renegotiate"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_SERVER_NAME, 0),
"tls_parse_ctos_server_name"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, 0),
"tls_parse_ctos_session_ticket"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_SIG_ALGS, 0),
"tls_parse_ctos_sig_algs"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_SRP, 0), "tls_parse_ctos_srp"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, 0),
"tls_parse_ctos_status_request"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, 0),
"tls_parse_ctos_supported_groups"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_USE_SRTP, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_CTOS_USE_SRTP, 0),
"tls_parse_ctos_use_srtp"}, "tls_parse_ctos_use_srtp"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_ALPN, 0),
"tls_parse_stoc_alpn"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_COOKIE, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_COOKIE, 0),
"tls_parse_stoc_cookie"}, "tls_parse_stoc_cookie"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_EARLY_DATA, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_EARLY_DATA, 0),
"tls_parse_stoc_early_data"}, "tls_parse_stoc_early_data"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_EARLY_DATA_INFO, 0), ""}, {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_EARLY_DATA_INFO, 0), ""},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, 0),
"tls_parse_stoc_ec_pt_formats"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 0),
"tls_parse_stoc_key_share"}, "tls_parse_stoc_key_share"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, 0),
"tls_parse_stoc_maxfragmentlen"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_NPN, 0), "tls_parse_stoc_npn"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_PSK, 0), "tls_parse_stoc_psk"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_PSK, 0), "tls_parse_stoc_psk"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 0),
"tls_parse_stoc_renegotiate"}, "tls_parse_stoc_renegotiate"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_SCT, 0), "tls_parse_stoc_sct"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_SERVER_NAME, 0),
"tls_parse_stoc_server_name"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_SESSION_TICKET, 0),
"tls_parse_stoc_session_ticket"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, 0),
"tls_parse_stoc_status_request"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_USE_SRTP, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_PARSE_STOC_USE_SRTP, 0),
"tls_parse_stoc_use_srtp"}, "tls_parse_stoc_use_srtp"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, 0),
...@@ -571,6 +635,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = { ...@@ -571,6 +635,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
"tls_setup_handshake"}, "tls_setup_handshake"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_USE_CERTIFICATE_CHAIN_FILE, 0), {ERR_PACK(ERR_LIB_SSL, SSL_F_USE_CERTIFICATE_CHAIN_FILE, 0),
"use_certificate_chain_file"}, "use_certificate_chain_file"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_WRITE_STATE_MACHINE, 0),
"write_state_machine"},
{0, NULL} {0, NULL}
}; };
...@@ -592,15 +658,19 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { ...@@ -592,15 +658,19 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DECOMPRESSION), "bad decompression"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DECOMPRESSION), "bad decompression"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DH_VALUE), "bad dh value"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DH_VALUE), "bad dh value"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DIGEST_LENGTH), "bad digest length"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DIGEST_LENGTH), "bad digest length"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_EARLY_DATA), "bad early data"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ECC_CERT), "bad ecc cert"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ECC_CERT), "bad ecc cert"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ECPOINT), "bad ecpoint"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ECPOINT), "bad ecpoint"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_EXTENSION), "bad extension"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_EXTENSION), "bad extension"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HANDSHAKE_LENGTH), {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HANDSHAKE_LENGTH),
"bad handshake length"}, "bad handshake length"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HANDSHAKE_STATE),
"bad handshake state"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HELLO_REQUEST), "bad hello request"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HELLO_REQUEST), "bad hello request"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_KEY_SHARE), "bad key share"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_KEY_SHARE), "bad key share"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_KEY_UPDATE), "bad key update"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_KEY_UPDATE), "bad key update"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_LENGTH), "bad length"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_LENGTH), "bad length"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PACKET), "bad packet"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PACKET_LENGTH), "bad packet length"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PACKET_LENGTH), "bad packet length"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PROTOCOL_VERSION_NUMBER), {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PROTOCOL_VERSION_NUMBER),
"bad protocol version number"}, "bad protocol version number"},
...@@ -621,6 +691,7 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { ...@@ -621,6 +691,7 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG), {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),
"block cipher pad is wrong"}, "block cipher pad is wrong"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BN_LIB), "bn lib"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BN_LIB), "bn lib"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CALLBACK_FAILED), "callback failed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CANNOT_CHANGE_CIPHER), {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CANNOT_CHANGE_CIPHER),
"cannot change cipher"}, "cannot change cipher"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_DN_LENGTH_MISMATCH), {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_DN_LENGTH_MISMATCH),
...@@ -740,6 +811,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { ...@@ -740,6 +811,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
"inconsistent early data sni"}, "inconsistent early data sni"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INCONSISTENT_EXTMS), "inconsistent extms"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INCONSISTENT_EXTMS), "inconsistent extms"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_ALERT), "invalid alert"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_ALERT), "invalid alert"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CERTIFICATE_OR_ALG),
"invalid certificate or alg"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_COMMAND), "invalid command"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_COMMAND), "invalid command"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_COMPRESSION_ALGORITHM), {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_COMPRESSION_ALGORITHM),
"invalid compression algorithm"}, "invalid compression algorithm"},
...@@ -792,6 +865,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { ...@@ -792,6 +865,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
"missing tmp ecdh key"}, "missing tmp ecdh key"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY), {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
"not on record boundary"}, "not on record boundary"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_APPLICATION_PROTOCOL),
"no application protocol"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATES_RETURNED), {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATES_RETURNED),
"no certificates returned"}, "no certificates returned"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATE_ASSIGNED), {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATE_ASSIGNED),
...@@ -838,6 +913,7 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { ...@@ -838,6 +913,7 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
"old session cipher not returned"}, "old session cipher not returned"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED), {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED),
"old session compression algorithm not returned"}, "old session compression algorithm not returned"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OVERFLOW_ERROR), "overflow error"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PACKET_LENGTH_TOO_LONG), {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PACKET_LENGTH_TOO_LONG),
"packet length too long"}, "packet length too long"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PARSE_TLSEXT), "parse tlsext"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PARSE_TLSEXT), "parse tlsext"},
......
ssl/ssl_lib.c
浏览文件 @ f63a17d6
...@@ -4201,16 +4201,22 @@ int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen, ...@@ -4201,16 +4201,22 @@ int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
int hashleni = EVP_MD_CTX_size(hdgst); int hashleni = EVP_MD_CTX_size(hdgst);
int ret = 0; int ret = 0;
if (hashleni < 0 || (size_t)hashleni > outlen) if (hashleni < 0 || (size_t)hashleni > outlen) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_HANDSHAKE_HASH,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
}
ctx = EVP_MD_CTX_new(); ctx = EVP_MD_CTX_new();
if (ctx == NULL) if (ctx == NULL)
goto err; goto err;
if (!EVP_MD_CTX_copy_ex(ctx, hdgst) if (!EVP_MD_CTX_copy_ex(ctx, hdgst)
|| EVP_DigestFinal_ex(ctx, out, NULL) <= 0) || EVP_DigestFinal_ex(ctx, out, NULL) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_HANDSHAKE_HASH,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
}
*hashlen = hashleni; *hashlen = hashleni;
...@@ -4630,7 +4636,8 @@ int ssl_validate_ct(SSL *s) ...@@ -4630,7 +4636,8 @@ int ssl_validate_ct(SSL *s)
ctx = CT_POLICY_EVAL_CTX_new(); ctx = CT_POLICY_EVAL_CTX_new();
if (ctx == NULL) { if (ctx == NULL) {
SSLerr(SSL_F_SSL_VALIDATE_CT, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_VALIDATE_CT,
ERR_R_MALLOC_FAILURE);
goto end; goto end;
} }
...@@ -4658,13 +4665,17 @@ int ssl_validate_ct(SSL *s) ...@@ -4658,13 +4665,17 @@ int ssl_validate_ct(SSL *s)
* ought to correspond to an inability to carry out its duties. * ought to correspond to an inability to carry out its duties.
*/ */
if (SCT_LIST_validate(scts, ctx) < 0) { if (SCT_LIST_validate(scts, ctx) < 0) {
SSLerr(SSL_F_SSL_VALIDATE_CT, SSL_R_SCT_VERIFICATION_FAILED); SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_SSL_VALIDATE_CT,
SSL_R_SCT_VERIFICATION_FAILED);
goto end; goto end;
} }
ret = s->ct_validation_callback(ctx, scts, s->ct_validation_callback_arg); ret = s->ct_validation_callback(ctx, scts, s->ct_validation_callback_arg);
if (ret < 0) if (ret < 0)
ret = 0; /* This function returns 0 on failure */ ret = 0; /* This function returns 0 on failure */
if (!ret)
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_SSL_VALIDATE_CT,
SSL_R_CALLBACK_FAILED);
end: end:
CT_POLICY_EVAL_CTX_free(ctx); CT_POLICY_EVAL_CTX_free(ctx);
...@@ -4899,7 +4910,8 @@ static int nss_keylog_int(const char *prefix, ...@@ -4899,7 +4910,8 @@ static int nss_keylog_int(const char *prefix,
prefix_len = strlen(prefix); prefix_len = strlen(prefix);
out_len = prefix_len + (2*parameter_1_len) + (2*parameter_2_len) + 3; out_len = prefix_len + (2*parameter_1_len) + (2*parameter_2_len) + 3;
if ((out = cursor = OPENSSL_malloc(out_len)) == NULL) { if ((out = cursor = OPENSSL_malloc(out_len)) == NULL) {
SSLerr(SSL_F_NSS_KEYLOG_INT, ERR_R_MALLOC_FAILURE); SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, SSL_F_NSS_KEYLOG_INT,
ERR_R_MALLOC_FAILURE);
return 0; return 0;
} }
...@@ -4932,7 +4944,8 @@ int ssl_log_rsa_client_key_exchange(SSL *ssl, ...@@ -4932,7 +4944,8 @@ int ssl_log_rsa_client_key_exchange(SSL *ssl,
size_t premaster_len) size_t premaster_len)
{ {
if (encrypted_premaster_len < 8) { if (encrypted_premaster_len < 8) {
SSLerr(SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); SSLfatal(ssl, SSL_AD_INTERNAL_ERROR,
SSL_F_SSL_LOG_RSA_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -4960,23 +4973,21 @@ int ssl_log_secret(SSL *ssl, ...@@ -4960,23 +4973,21 @@ int ssl_log_secret(SSL *ssl,
#define SSLV2_CIPHER_LEN 3 #define SSLV2_CIPHER_LEN 3
int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format, int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format)
int *al)
{ {
int n; int n;
n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN; n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;
if (PACKET_remaining(cipher_suites) == 0) { if (PACKET_remaining(cipher_suites) == 0) {
SSLerr(SSL_F_SSL_CACHE_CIPHERLIST, SSL_R_NO_CIPHERS_SPECIFIED); SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL_CACHE_CIPHERLIST,
*al = SSL_AD_ILLEGAL_PARAMETER; SSL_R_NO_CIPHERS_SPECIFIED);
return 0; return 0;
} }
if (PACKET_remaining(cipher_suites) % n != 0) { if (PACKET_remaining(cipher_suites) % n != 0) {
SSLerr(SSL_F_SSL_CACHE_CIPHERLIST, SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_CACHE_CIPHERLIST,
SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
*al = SSL_AD_DECODE_ERROR;
return 0; return 0;
} }
...@@ -5000,8 +5011,9 @@ int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format, ...@@ -5000,8 +5011,9 @@ int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format,
raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN); raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN);
s->s3->tmp.ciphers_raw = raw; s->s3->tmp.ciphers_raw = raw;
if (raw == NULL) { if (raw == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CACHE_CIPHERLIST,
goto err; ERR_R_MALLOC_FAILURE);
return 0;
} }
for (s->s3->tmp.ciphers_rawlen = 0; for (s->s3->tmp.ciphers_rawlen = 0;
PACKET_remaining(&sslv2ciphers) > 0; PACKET_remaining(&sslv2ciphers) > 0;
...@@ -5012,41 +5024,40 @@ int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format, ...@@ -5012,41 +5024,40 @@ int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format,
TLS_CIPHER_LEN)) TLS_CIPHER_LEN))
|| (leadbyte != 0 || (leadbyte != 0
&& !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) { && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_CACHE_CIPHERLIST,
SSL_R_BAD_PACKET);
OPENSSL_free(s->s3->tmp.ciphers_raw); OPENSSL_free(s->s3->tmp.ciphers_raw);
s->s3->tmp.ciphers_raw = NULL; s->s3->tmp.ciphers_raw = NULL;
s->s3->tmp.ciphers_rawlen = 0; s->s3->tmp.ciphers_rawlen = 0;
goto err; return 0;
} }
if (leadbyte == 0) if (leadbyte == 0)
s->s3->tmp.ciphers_rawlen += TLS_CIPHER_LEN; s->s3->tmp.ciphers_rawlen += TLS_CIPHER_LEN;
} }
} else if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw, } else if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw,
&s->s3->tmp.ciphers_rawlen)) { &s->s3->tmp.ciphers_rawlen)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CACHE_CIPHERLIST,
goto err; ERR_R_INTERNAL_ERROR);
return 0;
} }
return 1; return 1;
err:
return 0;
} }
int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len, int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len,
int isv2format, STACK_OF(SSL_CIPHER) **sk, int isv2format, STACK_OF(SSL_CIPHER) **sk,
STACK_OF(SSL_CIPHER) **scsvs) STACK_OF(SSL_CIPHER) **scsvs)
{ {
int alert;
PACKET pkt; PACKET pkt;
if (!PACKET_buf_init(&pkt, bytes, len)) if (!PACKET_buf_init(&pkt, bytes, len))
return 0; return 0;
return bytes_to_cipher_list(s, &pkt, sk, scsvs, isv2format, &alert); return bytes_to_cipher_list(s, &pkt, sk, scsvs, isv2format, 0);
} }
int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
STACK_OF(SSL_CIPHER) **skp, STACK_OF(SSL_CIPHER) **skp,
STACK_OF(SSL_CIPHER) **scsvs_out, STACK_OF(SSL_CIPHER) **scsvs_out,
int sslv2format, int *al) int sslv2format, int fatal)
{ {
const SSL_CIPHER *c; const SSL_CIPHER *c;
STACK_OF(SSL_CIPHER) *sk = NULL; STACK_OF(SSL_CIPHER) *sk = NULL;
...@@ -5058,23 +5069,32 @@ int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, ...@@ -5058,23 +5069,32 @@ int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN; n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;
if (PACKET_remaining(cipher_suites) == 0) { if (PACKET_remaining(cipher_suites) == 0) {
if (fatal)
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_BYTES_TO_CIPHER_LIST,
SSL_R_NO_CIPHERS_SPECIFIED);
else
SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED); SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED);
*al = SSL_AD_ILLEGAL_PARAMETER;
return 0; return 0;
} }
if (PACKET_remaining(cipher_suites) % n != 0) { if (PACKET_remaining(cipher_suites) % n != 0) {
if (fatal)
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_BYTES_TO_CIPHER_LIST,
SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
else
SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSLerr(SSL_F_BYTES_TO_CIPHER_LIST,
SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
*al = SSL_AD_DECODE_ERROR;
return 0; return 0;
} }
sk = sk_SSL_CIPHER_new_null(); sk = sk_SSL_CIPHER_new_null();
scsvs = sk_SSL_CIPHER_new_null(); scsvs = sk_SSL_CIPHER_new_null();
if (sk == NULL || scsvs == NULL) { if (sk == NULL || scsvs == NULL) {
if (fatal)
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_BYTES_TO_CIPHER_LIST,
ERR_R_MALLOC_FAILURE);
else
SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
*al = SSL_AD_INTERNAL_ERROR;
goto err; goto err;
} }
...@@ -5092,14 +5112,20 @@ int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, ...@@ -5092,14 +5112,20 @@ int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
if (c != NULL) { if (c != NULL) {
if ((c->valid && !sk_SSL_CIPHER_push(sk, c)) || if ((c->valid && !sk_SSL_CIPHER_push(sk, c)) ||
(!c->valid && !sk_SSL_CIPHER_push(scsvs, c))) { (!c->valid && !sk_SSL_CIPHER_push(scsvs, c))) {
if (fatal)
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
else
SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
*al = SSL_AD_INTERNAL_ERROR;
goto err; goto err;
} }
} }
} }
if (PACKET_remaining(cipher_suites) > 0) { if (PACKET_remaining(cipher_suites) > 0) {
*al = SSL_AD_DECODE_ERROR; if (fatal)
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_BYTES_TO_CIPHER_LIST,
SSL_R_BAD_LENGTH);
else
SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_BAD_LENGTH); SSLerr(SSL_F_BYTES_TO_CIPHER_LIST, SSL_R_BAD_LENGTH);
goto err; goto err;
} }
......
ssl/ssl_locl.h
浏览文件 @ f63a17d6
...@@ -2132,7 +2132,7 @@ void ssl_cert_clear_certs(CERT *c); ...@@ -2132,7 +2132,7 @@ void ssl_cert_clear_certs(CERT *c);
void ssl_cert_free(CERT *c); void ssl_cert_free(CERT *c);
__owur int ssl_generate_session_id(SSL *s, SSL_SESSION *ss); __owur int ssl_generate_session_id(SSL *s, SSL_SESSION *ss);
__owur int ssl_get_new_session(SSL *s, int session); __owur int ssl_get_new_session(SSL *s, int session);
__owur int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al); __owur int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello);
__owur SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket); __owur SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket);
__owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b); __owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b);
DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id); DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
...@@ -2144,12 +2144,11 @@ __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, ...@@ -2144,12 +2144,11 @@ __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
**sorted, **sorted,
const char *rule_str, const char *rule_str,
CERT *c); CERT *c);
__owur int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, __owur int ssl_cache_cipherlist(SSL *s, PACKET *cipher_suites, int sslv2format);
int sslv2format, int *al);
__owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
STACK_OF(SSL_CIPHER) **skp, STACK_OF(SSL_CIPHER) **skp,
STACK_OF(SSL_CIPHER) **scsvs, int sslv2format, STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
int *al); int fatal);
void ssl_update_cache(SSL *s, int mode); void ssl_update_cache(SSL *s, int mode);
__owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
const EVP_MD **md, int *mac_pkey_type, const EVP_MD **md, int *mac_pkey_type,
...@@ -2231,7 +2230,7 @@ __owur size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t slen, ...@@ -2231,7 +2230,7 @@ __owur size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t slen,
__owur int ssl3_finish_mac(SSL *s, const unsigned char *buf, size_t len); __owur int ssl3_finish_mac(SSL *s, const unsigned char *buf, size_t len);
void ssl3_free_digest_list(SSL *s); void ssl3_free_digest_list(SSL *s);
__owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
CERT_PKEY *cpk, int *al); CERT_PKEY *cpk);
__owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl, __owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
STACK_OF(SSL_CIPHER) *clnt, STACK_OF(SSL_CIPHER) *clnt,
STACK_OF(SSL_CIPHER) *srvr); STACK_OF(SSL_CIPHER) *srvr);
...@@ -2386,7 +2385,7 @@ __owur int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, ...@@ -2386,7 +2385,7 @@ __owur int tls1_set_groups_list(uint16_t **pext, size_t *pextlen,
void tls1_get_formatlist(SSL *s, const unsigned char **pformats, void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
size_t *num_formats); size_t *num_formats);
__owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id); __owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
__owur EVP_PKEY *ssl_generate_pkey_group(uint16_t id); __owur EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id);
__owur EVP_PKEY *ssl_generate_param_group(uint16_t id); __owur EVP_PKEY *ssl_generate_param_group(uint16_t id);
# endif /* OPENSSL_NO_EC */ # endif /* OPENSSL_NO_EC */
...@@ -2444,7 +2443,7 @@ __owur int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee); ...@@ -2444,7 +2443,7 @@ __owur int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee);
__owur int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *ex, __owur int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *ex,
int vfy); int vfy);
int tls_choose_sigalg(SSL *s, int *al); int tls_choose_sigalg(SSL *s, int fatalerrs);
__owur EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md); __owur EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md);
void ssl_clear_hash_ctx(EVP_MD_CTX **hash); void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
...@@ -2520,9 +2519,9 @@ void custom_ext_init(custom_ext_methods *meths); ...@@ -2520,9 +2519,9 @@ void custom_ext_init(custom_ext_methods *meths);
__owur int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type, __owur int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type,
const unsigned char *ext_data, size_t ext_size, const unsigned char *ext_data, size_t ext_size,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
__owur int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, __owur int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x,
size_t chainidx, int maxversion, int *al); size_t chainidx, int maxversion);
__owur int custom_exts_copy(custom_ext_methods *dst, __owur int custom_exts_copy(custom_ext_methods *dst,
const custom_ext_methods *src); const custom_ext_methods *src);
......
ssl/ssl_sess.c
浏览文件 @ f63a17d6
...@@ -322,7 +322,8 @@ int ssl_generate_session_id(SSL *s, SSL_SESSION *ss) ...@@ -322,7 +322,8 @@ int ssl_generate_session_id(SSL *s, SSL_SESSION *ss)
ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
break; break;
default: default:
SSLerr(SSL_F_SSL_GENERATE_SESSION_ID, SSL_R_UNSUPPORTED_SSL_VERSION); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_SESSION_ID,
SSL_R_UNSUPPORTED_SSL_VERSION);
return 0; return 0;
} }
...@@ -360,7 +361,7 @@ int ssl_generate_session_id(SSL *s, SSL_SESSION *ss) ...@@ -360,7 +361,7 @@ int ssl_generate_session_id(SSL *s, SSL_SESSION *ss)
tmp = (int)ss->session_id_length; tmp = (int)ss->session_id_length;
if (!cb(s, ss->session_id, &tmp)) { if (!cb(s, ss->session_id, &tmp)) {
/* The callback failed */ /* The callback failed */
SSLerr(SSL_F_SSL_GENERATE_SESSION_ID, SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_SESSION_ID,
SSL_R_SSL_SESSION_ID_CALLBACK_FAILED); SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);
return 0; return 0;
} }
...@@ -370,7 +371,7 @@ int ssl_generate_session_id(SSL *s, SSL_SESSION *ss) ...@@ -370,7 +371,7 @@ int ssl_generate_session_id(SSL *s, SSL_SESSION *ss)
*/ */
if (tmp == 0 || tmp > ss->session_id_length) { if (tmp == 0 || tmp > ss->session_id_length) {
/* The callback set an illegal length */ /* The callback set an illegal length */
SSLerr(SSL_F_SSL_GENERATE_SESSION_ID, SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_SESSION_ID,
SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH); SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);
return 0; return 0;
} }
...@@ -378,7 +379,8 @@ int ssl_generate_session_id(SSL *s, SSL_SESSION *ss) ...@@ -378,7 +379,8 @@ int ssl_generate_session_id(SSL *s, SSL_SESSION *ss)
/* Finally, check for a conflict */ /* Finally, check for a conflict */
if (SSL_has_matching_session_id(s, ss->session_id, if (SSL_has_matching_session_id(s, ss->session_id,
(unsigned int)ss->session_id_length)) { (unsigned int)ss->session_id_length)) {
SSLerr(SSL_F_SSL_GENERATE_SESSION_ID, SSL_R_SSL_SESSION_ID_CONFLICT); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_SESSION_ID,
SSL_R_SSL_SESSION_ID_CONFLICT);
return 0; return 0;
} }
...@@ -391,8 +393,11 @@ int ssl_get_new_session(SSL *s, int session) ...@@ -391,8 +393,11 @@ int ssl_get_new_session(SSL *s, int session)
SSL_SESSION *ss = NULL; SSL_SESSION *ss = NULL;
if ((ss = SSL_SESSION_new()) == NULL) if ((ss = SSL_SESSION_new()) == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_NEW_SESSION,
ERR_R_MALLOC_FAILURE);
return 0; return 0;
}
/* If the context has a default timeout, use it */ /* If the context has a default timeout, use it */
if (s->session_ctx->session_timeout == 0) if (s->session_ctx->session_timeout == 0)
...@@ -405,6 +410,7 @@ int ssl_get_new_session(SSL *s, int session) ...@@ -405,6 +410,7 @@ int ssl_get_new_session(SSL *s, int session)
if (session) { if (session) {
if (!ssl_generate_session_id(s, ss)) { if (!ssl_generate_session_id(s, ss)) {
/* SSLfatal() already called */
SSL_SESSION_free(ss); SSL_SESSION_free(ss);
return 0; return 0;
} }
...@@ -412,7 +418,8 @@ int ssl_get_new_session(SSL *s, int session) ...@@ -412,7 +418,8 @@ int ssl_get_new_session(SSL *s, int session)
if (s->ext.hostname) { if (s->ext.hostname) {
ss->ext.hostname = OPENSSL_strdup(s->ext.hostname); ss->ext.hostname = OPENSSL_strdup(s->ext.hostname);
if (ss->ext.hostname == NULL) { if (ss->ext.hostname == NULL) {
SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_NEW_SESSION,
ERR_R_INTERNAL_ERROR);
SSL_SESSION_free(ss); SSL_SESSION_free(ss);
return 0; return 0;
} }
...@@ -422,7 +429,8 @@ int ssl_get_new_session(SSL *s, int session) ...@@ -422,7 +429,8 @@ int ssl_get_new_session(SSL *s, int session)
} }
if (s->sid_ctx_length > sizeof ss->sid_ctx) { if (s->sid_ctx_length > sizeof ss->sid_ctx) {
SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_NEW_SESSION,
ERR_R_INTERNAL_ERROR);
SSL_SESSION_free(ss); SSL_SESSION_free(ss);
return 0; return 0;
} }
...@@ -456,7 +464,7 @@ int ssl_get_new_session(SSL *s, int session) ...@@ -456,7 +464,7 @@ int ssl_get_new_session(SSL *s, int session)
* - Both for new and resumed sessions, s->ext.ticket_expected is set to 1 * - Both for new and resumed sessions, s->ext.ticket_expected is set to 1
* if the server should issue a new session ticket (to 0 otherwise). * if the server should issue a new session ticket (to 0 otherwise).
*/ */
int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al) int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)
{ {
/* This is used only by servers. */ /* This is used only by servers. */
...@@ -468,9 +476,9 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al) ...@@ -468,9 +476,9 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al)
if (SSL_IS_TLS13(s)) { if (SSL_IS_TLS13(s)) {
if (!tls_parse_extension(s, TLSEXT_IDX_psk_kex_modes, if (!tls_parse_extension(s, TLSEXT_IDX_psk_kex_modes,
SSL_EXT_CLIENT_HELLO, hello->pre_proc_exts, SSL_EXT_CLIENT_HELLO, hello->pre_proc_exts,
NULL, 0, al) NULL, 0)
|| !tls_parse_extension(s, TLSEXT_IDX_psk, SSL_EXT_CLIENT_HELLO, || !tls_parse_extension(s, TLSEXT_IDX_psk, SSL_EXT_CLIENT_HELLO,
hello->pre_proc_exts, NULL, 0, al)) hello->pre_proc_exts, NULL, 0))
return -1; return -1;
ret = s->session; ret = s->session;
...@@ -481,6 +489,8 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al) ...@@ -481,6 +489,8 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al)
case TICKET_FATAL_ERR_MALLOC: case TICKET_FATAL_ERR_MALLOC:
case TICKET_FATAL_ERR_OTHER: case TICKET_FATAL_ERR_OTHER:
fatal = 1; fatal = 1;
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_PREV_SESSION,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
case TICKET_NONE: case TICKET_NONE:
case TICKET_EMPTY: case TICKET_EMPTY:
...@@ -584,7 +594,7 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al) ...@@ -584,7 +594,7 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al)
* noticing). * noticing).
*/ */
SSLerr(SSL_F_SSL_GET_PREV_SESSION, SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GET_PREV_SESSION,
SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED); SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
fatal = 1; fatal = 1;
goto err; goto err;
...@@ -604,8 +614,8 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al) ...@@ -604,8 +614,8 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al)
if (ret->flags & SSL_SESS_FLAG_EXTMS) { if (ret->flags & SSL_SESS_FLAG_EXTMS) {
/* If old session includes extms, but new does not: abort handshake */ /* If old session includes extms, but new does not: abort handshake */
if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)) { if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)) {
SSLerr(SSL_F_SSL_GET_PREV_SESSION, SSL_R_INCONSISTENT_EXTMS); SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL_GET_PREV_SESSION,
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); SSL_R_INCONSISTENT_EXTMS);
fatal = 1; fatal = 1;
goto err; goto err;
} }
...@@ -640,10 +650,8 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al) ...@@ -640,10 +650,8 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al)
s->ext.ticket_expected = 1; s->ext.ticket_expected = 1;
} }
} }
if (fatal) { if (fatal)
*al = SSL_AD_INTERNAL_ERROR;
return -1; return -1;
}
return 0; return 0;
} }
......
ssl/statem/extensions.c
浏览文件 @ f63a17d6
...@@ -12,14 +12,11 @@ ...@@ -12,14 +12,11 @@
#include "../ssl_locl.h" #include "../ssl_locl.h"
#include "statem_locl.h" #include "statem_locl.h"
static int final_renegotiate(SSL *s, unsigned int context, int sent, static int final_renegotiate(SSL *s, unsigned int context, int sent);
int *al);
static int init_server_name(SSL *s, unsigned int context); static int init_server_name(SSL *s, unsigned int context);
static int final_server_name(SSL *s, unsigned int context, int sent, static int final_server_name(SSL *s, unsigned int context, int sent);
int *al);
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
static int final_ec_pt_formats(SSL *s, unsigned int context, int sent, static int final_ec_pt_formats(SSL *s, unsigned int context, int sent);
int *al);
#endif #endif
static int init_session_ticket(SSL *s, unsigned int context); static int init_session_ticket(SSL *s, unsigned int context);
#ifndef OPENSSL_NO_OCSP #ifndef OPENSSL_NO_OCSP
...@@ -29,33 +26,32 @@ static int init_status_request(SSL *s, unsigned int context); ...@@ -29,33 +26,32 @@ static int init_status_request(SSL *s, unsigned int context);
static int init_npn(SSL *s, unsigned int context); static int init_npn(SSL *s, unsigned int context);
#endif #endif
static int init_alpn(SSL *s, unsigned int context); static int init_alpn(SSL *s, unsigned int context);
static int final_alpn(SSL *s, unsigned int context, int sent, int *al); static int final_alpn(SSL *s, unsigned int context, int sent);
static int init_sig_algs(SSL *s, unsigned int context); static int init_sig_algs(SSL *s, unsigned int context);
static int init_certificate_authorities(SSL *s, unsigned int context); static int init_certificate_authorities(SSL *s, unsigned int context);
static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
unsigned int context, unsigned int context,
X509 *x, X509 *x,
size_t chainidx, size_t chainidx);
int *al);
static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt, static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
static int init_srp(SSL *s, unsigned int context); static int init_srp(SSL *s, unsigned int context);
#endif #endif
static int init_etm(SSL *s, unsigned int context); static int init_etm(SSL *s, unsigned int context);
static int init_ems(SSL *s, unsigned int context); static int init_ems(SSL *s, unsigned int context);
static int final_ems(SSL *s, unsigned int context, int sent, int *al); static int final_ems(SSL *s, unsigned int context, int sent);
static int init_psk_kex_modes(SSL *s, unsigned int context); static int init_psk_kex_modes(SSL *s, unsigned int context);
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
static int final_key_share(SSL *s, unsigned int context, int sent, int *al); static int final_key_share(SSL *s, unsigned int context, int sent);
#endif #endif
#ifndef OPENSSL_NO_SRTP #ifndef OPENSSL_NO_SRTP
static int init_srtp(SSL *s, unsigned int context); static int init_srtp(SSL *s, unsigned int context);
#endif #endif
static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al); static int final_sig_algs(SSL *s, unsigned int context, int sent);
static int final_early_data(SSL *s, unsigned int context, int sent, int *al); static int final_early_data(SSL *s, unsigned int context, int sent);
static int final_maxfragmentlen(SSL *s, unsigned int context, int sent, int *al); static int final_maxfragmentlen(SSL *s, unsigned int context, int sent);
/* Structure to define a built-in extension */ /* Structure to define a built-in extension */
typedef struct extensions_definition_st { typedef struct extensions_definition_st {
...@@ -73,22 +69,22 @@ typedef struct extensions_definition_st { ...@@ -73,22 +69,22 @@ typedef struct extensions_definition_st {
int (*init)(SSL *s, unsigned int context); int (*init)(SSL *s, unsigned int context);
/* Parse extension sent from client to server */ /* Parse extension sent from client to server */
int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
/* Parse extension send from server to client */ /* Parse extension send from server to client */
int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
/* Construct extension sent from server to client */ /* Construct extension sent from server to client */
EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
/* Construct extension sent from client to server */ /* Construct extension sent from client to server */
EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
/* /*
* Finalise extension after parsing. Always called where an extensions was * Finalise extension after parsing. Always called where an extensions was
* initialised even if the extension was not present. |sent| is set to 1 if * initialised even if the extension was not present. |sent| is set to 1 if
* the extension was seen, or 0 otherwise. * the extension was seen, or 0 otherwise.
*/ */
int (*final)(SSL *s, unsigned int context, int sent, int *al); int (*final)(SSL *s, unsigned int context, int sent);
} EXTENSION_DEFINITION; } EXTENSION_DEFINITION;
/* /*
...@@ -458,8 +454,7 @@ int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx) ...@@ -458,8 +454,7 @@ int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx)
* extensions that we know about. We ignore others. * extensions that we know about. We ignore others.
*/ */
int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
RAW_EXTENSION **res, int *al, size_t *len, RAW_EXTENSION **res, size_t *len, int init)
int init)
{ {
PACKET extensions = *packet; PACKET extensions = *packet;
size_t i = 0; size_t i = 0;
...@@ -480,8 +475,8 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, ...@@ -480,8 +475,8 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0); num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0);
raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions)); raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions));
if (raw_extensions == NULL) { if (raw_extensions == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, ERR_R_MALLOC_FAILURE); ERR_R_MALLOC_FAILURE);
return 0; return 0;
} }
...@@ -493,8 +488,8 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, ...@@ -493,8 +488,8 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
if (!PACKET_get_net_2(&extensions, &type) || if (!PACKET_get_net_2(&extensions, &type) ||
!PACKET_get_length_prefixed_2(&extensions, &extension)) { !PACKET_get_length_prefixed_2(&extensions, &extension)) {
SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION); SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
*al = SSL_AD_DECODE_ERROR; SSL_R_BAD_EXTENSION);
goto err; goto err;
} }
/* /*
...@@ -507,8 +502,8 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, ...@@ -507,8 +502,8 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
|| (type == TLSEXT_TYPE_psk || (type == TLSEXT_TYPE_psk
&& (context & SSL_EXT_CLIENT_HELLO) != 0 && (context & SSL_EXT_CLIENT_HELLO) != 0
&& PACKET_remaining(&extensions) != 0)) { && PACKET_remaining(&extensions) != 0)) {
SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION); SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_COLLECT_EXTENSIONS,
*al = SSL_AD_ILLEGAL_PARAMETER; SSL_R_BAD_EXTENSION);
goto err; goto err;
} }
idx = thisex - raw_extensions; idx = thisex - raw_extensions;
...@@ -534,8 +529,8 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, ...@@ -534,8 +529,8 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
&& type != TLSEXT_TYPE_renegotiate && type != TLSEXT_TYPE_renegotiate
&& type != TLSEXT_TYPE_signed_certificate_timestamp && type != TLSEXT_TYPE_signed_certificate_timestamp
&& (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0) { && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0) {
SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION); SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
*al = SSL_AD_UNSUPPORTED_EXTENSION; SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION);
goto err; goto err;
} }
if (thisex != NULL) { if (thisex != NULL) {
...@@ -561,7 +556,7 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, ...@@ -561,7 +556,7 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
if (thisexd->init != NULL && (thisexd->context & context) != 0 if (thisexd->init != NULL && (thisexd->context & context) != 0
&& extension_is_relevant(s, thisexd->context, context) && extension_is_relevant(s, thisexd->context, context)
&& !thisexd->init(s, context)) { && !thisexd->init(s, context)) {
*al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */
goto err; goto err;
} }
} }
...@@ -589,11 +584,11 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, ...@@ -589,11 +584,11 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
* this counted as success. * this counted as success.
*/ */
int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
RAW_EXTENSION *exts, X509 *x, size_t chainidx, int *al) RAW_EXTENSION *exts, X509 *x, size_t chainidx)
{ {
RAW_EXTENSION *currext = &exts[idx]; RAW_EXTENSION *currext = &exts[idx];
int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) = NULL; size_t chainidx) = NULL;
/* Skip if the extension is not present */ /* Skip if the extension is not present */
if (!currext->present) if (!currext->present)
...@@ -616,7 +611,7 @@ int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, ...@@ -616,7 +611,7 @@ int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
parser = s->server ? extdef->parse_ctos : extdef->parse_stoc; parser = s->server ? extdef->parse_ctos : extdef->parse_stoc;
if (parser != NULL) if (parser != NULL)
return parser(s, &currext->data, context, x, chainidx, al); return parser(s, &currext->data, context, x, chainidx);
/* /*
* If the parser is NULL we fall through to the custom extension * If the parser is NULL we fall through to the custom extension
...@@ -625,13 +620,10 @@ int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, ...@@ -625,13 +620,10 @@ int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
} }
/* Parse custom extensions */ /* Parse custom extensions */
if (custom_ext_parse(s, context, currext->type, return custom_ext_parse(s, context, currext->type,
PACKET_data(&currext->data), PACKET_data(&currext->data),
PACKET_remaining(&currext->data), PACKET_remaining(&currext->data),
x, chainidx, al) <= 0) x, chainidx);
return 0;
return 1;
} }
/* /*
...@@ -643,7 +635,7 @@ int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, ...@@ -643,7 +635,7 @@ int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
* failure, |*al| is populated with a suitable alert code. * failure, |*al| is populated with a suitable alert code.
*/ */
int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x, int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x,
size_t chainidx, int *al, int fin) size_t chainidx, int fin)
{ {
size_t i, numexts = OSSL_NELEM(ext_defs); size_t i, numexts = OSSL_NELEM(ext_defs);
const EXTENSION_DEFINITION *thisexd; const EXTENSION_DEFINITION *thisexd;
...@@ -653,9 +645,11 @@ int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x, ...@@ -653,9 +645,11 @@ int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x,
/* Parse each extension in turn */ /* Parse each extension in turn */
for (i = 0; i < numexts; i++) { for (i = 0; i < numexts; i++) {
if (!tls_parse_extension(s, i, context, exts, x, chainidx, al)) if (!tls_parse_extension(s, i, context, exts, x, chainidx)) {
/* SSLfatal() already called */
return 0; return 0;
} }
}
if (fin) { if (fin) {
/* /*
...@@ -665,10 +659,12 @@ int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x, ...@@ -665,10 +659,12 @@ int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x,
for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs);
i++, thisexd++) { i++, thisexd++) {
if (thisexd->final != NULL && (thisexd->context & context) != 0 if (thisexd->final != NULL && (thisexd->context & context) != 0
&& !thisexd->final(s, context, exts[i].present, al)) && !thisexd->final(s, context, exts[i].present)) {
/* SSLfatal() already called */
return 0; return 0;
} }
} }
}
return 1; return 1;
} }
...@@ -702,23 +698,16 @@ int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx, ...@@ -702,23 +698,16 @@ int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx,
* them to |pkt|. If this is an extension for a Certificate in a Certificate * them to |pkt|. If this is an extension for a Certificate in a Certificate
* message, then |x| will be set to the Certificate we are handling, and * message, then |x| will be set to the Certificate we are handling, and
* |chainidx| will indicate the position in the chainidx we are processing (with * |chainidx| will indicate the position in the chainidx we are processing (with
* 0 being the first in the chain). Returns 1 on success or 0 on failure. If a * 0 being the first in the chain). Returns 1 on success or 0 on failure. On a
* failure occurs then |al| is populated with a suitable alert code. On a
* failure construction stops at the first extension to fail to construct. * failure construction stops at the first extension to fail to construct.
*/ */
int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
size_t i; size_t i;
int min_version, max_version = 0, reason, tmpal; int min_version, max_version = 0, reason;
const EXTENSION_DEFINITION *thisexd; const EXTENSION_DEFINITION *thisexd;
/*
* Normally if something goes wrong during construction it's an internal
* error. We can always override this later.
*/
tmpal = SSL_AD_INTERNAL_ERROR;
if (!WPACKET_start_sub_packet_u16(pkt) if (!WPACKET_start_sub_packet_u16(pkt)
/* /*
* If extensions are of zero length then we don't even add the * If extensions are of zero length then we don't even add the
...@@ -729,15 +718,17 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -729,15 +718,17 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
(SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0 (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
&& !WPACKET_set_flags(pkt, && !WPACKET_set_flags(pkt,
WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) { WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
goto err; ERR_R_INTERNAL_ERROR);
return 0;
} }
if ((context & SSL_EXT_CLIENT_HELLO) != 0) { if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
reason = ssl_get_min_max_version(s, &min_version, &max_version); reason = ssl_get_min_max_version(s, &min_version, &max_version);
if (reason != 0) { if (reason != 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
goto err; reason);
return 0;
} }
} }
...@@ -746,14 +737,14 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -746,14 +737,14 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
/* On the server side with initialise during ClientHello parsing */ /* On the server side with initialise during ClientHello parsing */
custom_ext_init(&s->cert->custext); custom_ext_init(&s->cert->custext);
} }
if (!custom_ext_add(s, context, pkt, x, chainidx, max_version, &tmpal)) { if (!custom_ext_add(s, context, pkt, x, chainidx, max_version)) {
SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
goto err; return 0;
} }
for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) { for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
EXT_RETURN ret; EXT_RETURN ret;
/* Skip if not relevant for our context */ /* Skip if not relevant for our context */
...@@ -766,9 +757,11 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -766,9 +757,11 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
if (construct == NULL) if (construct == NULL)
continue; continue;
ret = construct(s, pkt, context, x, chainidx, &tmpal); ret = construct(s, pkt, context, x, chainidx);
if (ret == EXT_RETURN_FAIL) if (ret == EXT_RETURN_FAIL) {
goto err; /* SSLfatal() already called */
return 0;
}
if (ret == EXT_RETURN_SENT if (ret == EXT_RETURN_SENT
&& (context & (SSL_EXT_CLIENT_HELLO && (context & (SSL_EXT_CLIENT_HELLO
| SSL_EXT_TLS1_3_CERTIFICATE_REQUEST | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
...@@ -777,15 +770,12 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -777,15 +770,12 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
} }
if (!WPACKET_close(pkt)) { if (!WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
goto err; ERR_R_INTERNAL_ERROR);
return 0;
} }
return 1; return 1;
err:
*al = tmpal;
return 0;
} }
/* /*
...@@ -796,8 +786,7 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -796,8 +786,7 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
* of a failure then |*al| is populated with a suitable error code. * of a failure then |*al| is populated with a suitable error code.
*/ */
static int final_renegotiate(SSL *s, unsigned int context, int sent, static int final_renegotiate(SSL *s, unsigned int context, int sent)
int *al)
{ {
if (!s->server) { if (!s->server) {
/* /*
...@@ -807,8 +796,7 @@ static int final_renegotiate(SSL *s, unsigned int context, int sent, ...@@ -807,8 +796,7 @@ static int final_renegotiate(SSL *s, unsigned int context, int sent,
if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT) if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
&& !sent) { && !sent) {
*al = SSL_AD_HANDSHAKE_FAILURE; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
SSLerr(SSL_F_FINAL_RENEGOTIATE,
SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
return 0; return 0;
} }
...@@ -820,8 +808,7 @@ static int final_renegotiate(SSL *s, unsigned int context, int sent, ...@@ -820,8 +808,7 @@ static int final_renegotiate(SSL *s, unsigned int context, int sent,
if (s->renegotiate if (s->renegotiate
&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
&& !sent) { && !sent) {
*al = SSL_AD_HANDSHAKE_FAILURE; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
SSLerr(SSL_F_FINAL_RENEGOTIATE,
SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
return 0; return 0;
} }
...@@ -838,8 +825,7 @@ static int init_server_name(SSL *s, unsigned int context) ...@@ -838,8 +825,7 @@ static int init_server_name(SSL *s, unsigned int context)
return 1; return 1;
} }
static int final_server_name(SSL *s, unsigned int context, int sent, static int final_server_name(SSL *s, unsigned int context, int sent)
int *al)
{ {
int ret = SSL_TLSEXT_ERR_NOACK, discard; int ret = SSL_TLSEXT_ERR_NOACK, discard;
int altmp = SSL_AD_UNRECOGNIZED_NAME; int altmp = SSL_AD_UNRECOGNIZED_NAME;
...@@ -890,23 +876,25 @@ static int final_server_name(SSL *s, unsigned int context, int sent, ...@@ -890,23 +876,25 @@ static int final_server_name(SSL *s, unsigned int context, int sent,
ss->ext.tick_age_add = 0; ss->ext.tick_age_add = 0;
ss->ext.tick_identity = 0; ss->ext.tick_identity = 0;
if (!ssl_generate_session_id(s, ss)) { if (!ssl_generate_session_id(s, ss)) {
ret = SSL_TLSEXT_ERR_ALERT_FATAL; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
altmp = SSL_AD_INTERNAL_ERROR; ERR_R_INTERNAL_ERROR);
return 0;
} }
} else { } else {
ret = SSL_TLSEXT_ERR_ALERT_FATAL; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
altmp = SSL_AD_INTERNAL_ERROR; ERR_R_INTERNAL_ERROR);
return 0;
} }
} }
} }
switch (ret) { switch (ret) {
case SSL_TLSEXT_ERR_ALERT_FATAL: case SSL_TLSEXT_ERR_ALERT_FATAL:
*al = altmp; SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED);
return 0; return 0;
case SSL_TLSEXT_ERR_ALERT_WARNING: case SSL_TLSEXT_ERR_ALERT_WARNING:
*al = altmp; ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
return 1; return 1;
case SSL_TLSEXT_ERR_NOACK: case SSL_TLSEXT_ERR_NOACK:
...@@ -919,8 +907,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent, ...@@ -919,8 +907,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent,
} }
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
static int final_ec_pt_formats(SSL *s, unsigned int context, int sent, static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
int *al)
{ {
unsigned long alg_k, alg_a; unsigned long alg_k, alg_a;
...@@ -949,7 +936,7 @@ static int final_ec_pt_formats(SSL *s, unsigned int context, int sent, ...@@ -949,7 +936,7 @@ static int final_ec_pt_formats(SSL *s, unsigned int context, int sent,
break; break;
} }
if (i == s->session->ext.ecpointformats_len) { if (i == s->session->ext.ecpointformats_len) {
SSLerr(SSL_F_FINAL_EC_PT_FORMATS, SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS,
SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
return 0; return 0;
} }
...@@ -1008,7 +995,7 @@ static int init_alpn(SSL *s, unsigned int context) ...@@ -1008,7 +995,7 @@ static int init_alpn(SSL *s, unsigned int context)
return 1; return 1;
} }
static int final_alpn(SSL *s, unsigned int context, int sent, int *al) static int final_alpn(SSL *s, unsigned int context, int sent)
{ {
if (!s->server && !sent && s->session->ext.alpn_selected != NULL) if (!s->server && !sent && s->session->ext.alpn_selected != NULL)
s->ext.early_data_ok = 0; s->ext.early_data_ok = 0;
...@@ -1022,8 +1009,10 @@ static int final_alpn(SSL *s, unsigned int context, int sent, int *al) ...@@ -1022,8 +1009,10 @@ static int final_alpn(SSL *s, unsigned int context, int sent, int *al)
* we also have to do this before we decide whether to accept early_data. * we also have to do this before we decide whether to accept early_data.
* In TLSv1.3 we've already negotiated our cipher so we do this call now. * In TLSv1.3 we've already negotiated our cipher so we do this call now.
* For < TLSv1.3 we defer it until after cipher negotiation. * For < TLSv1.3 we defer it until after cipher negotiation.
*
* On failure SSLfatal() already called.
*/ */
return tls_handle_alpn(s, al); return tls_handle_alpn(s);
} }
static int init_sig_algs(SSL *s, unsigned int context) static int init_sig_algs(SSL *s, unsigned int context)
...@@ -1060,7 +1049,7 @@ static int init_ems(SSL *s, unsigned int context) ...@@ -1060,7 +1049,7 @@ static int init_ems(SSL *s, unsigned int context)
return 1; return 1;
} }
static int final_ems(SSL *s, unsigned int context, int sent, int *al) static int final_ems(SSL *s, unsigned int context, int sent)
{ {
if (!s->server && s->hit) { if (!s->server && s->hit) {
/* /*
...@@ -1069,8 +1058,8 @@ static int final_ems(SSL *s, unsigned int context, int sent, int *al) ...@@ -1069,8 +1058,8 @@ static int final_ems(SSL *s, unsigned int context, int sent, int *al)
*/ */
if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) != if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
!(s->session->flags & SSL_SESS_FLAG_EXTMS)) { !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
*al = SSL_AD_HANDSHAKE_FAILURE; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
SSLerr(SSL_F_FINAL_EMS, SSL_R_INCONSISTENT_EXTMS); SSL_R_INCONSISTENT_EXTMS);
return 0; return 0;
} }
} }
...@@ -1088,8 +1077,7 @@ static int init_certificate_authorities(SSL *s, unsigned int context) ...@@ -1088,8 +1077,7 @@ static int init_certificate_authorities(SSL *s, unsigned int context)
static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
unsigned int context, unsigned int context,
X509 *x, X509 *x,
size_t chainidx, size_t chainidx)
int *al)
{ {
const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s); const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s);
...@@ -1097,10 +1085,21 @@ static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, ...@@ -1097,10 +1085,21 @@ static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
return EXT_RETURN_NOT_SENT; return EXT_RETURN_NOT_SENT;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities)
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)) {
|| !construct_ca_names(s, pkt) SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|| !WPACKET_close(pkt)) { SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;
}
if (!construct_ca_names(s, pkt)) {
/* SSLfatal() already called */
return EXT_RETURN_FAIL;
}
if (!WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -1110,12 +1109,13 @@ static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, ...@@ -1110,12 +1109,13 @@ static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt, static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
if (!parse_ca_names(s, pkt, al)) if (!parse_ca_names(s, pkt))
return 0; return 0;
if (PACKET_remaining(pkt) != 0) { if (PACKET_remaining(pkt) != 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
return 1; return 1;
...@@ -1131,11 +1131,11 @@ static int init_srtp(SSL *s, unsigned int context) ...@@ -1131,11 +1131,11 @@ static int init_srtp(SSL *s, unsigned int context)
} }
#endif #endif
static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al) static int final_sig_algs(SSL *s, unsigned int context, int sent)
{ {
if (!sent && SSL_IS_TLS13(s) && !s->hit) { if (!sent && SSL_IS_TLS13(s) && !s->hit) {
*al = TLS13_AD_MISSING_EXTENSION; SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_SIG_ALGS,
SSLerr(SSL_F_FINAL_SIG_ALGS, SSL_R_MISSING_SIGALGS_EXTENSION); SSL_R_MISSING_SIGALGS_EXTENSION);
return 0; return 0;
} }
...@@ -1143,7 +1143,7 @@ static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al) ...@@ -1143,7 +1143,7 @@ static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al)
} }
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
static int final_key_share(SSL *s, unsigned int context, int sent, int *al) static int final_key_share(SSL *s, unsigned int context, int sent)
{ {
if (!SSL_IS_TLS13(s)) if (!SSL_IS_TLS13(s))
return 1; return 1;
...@@ -1168,8 +1168,8 @@ static int final_key_share(SSL *s, unsigned int context, int sent, int *al) ...@@ -1168,8 +1168,8 @@ static int final_key_share(SSL *s, unsigned int context, int sent, int *al)
&& (!s->hit && (!s->hit
|| (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) { || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
/* Nothing left we can do - just fail */ /* Nothing left we can do - just fail */
*al = SSL_AD_MISSING_EXTENSION; SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_KEY_SHARE,
SSLerr(SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE); SSL_R_NO_SUITABLE_KEY_SHARE);
return 0; return 0;
} }
/* /*
...@@ -1230,11 +1230,9 @@ static int final_key_share(SSL *s, unsigned int context, int sent, int *al) ...@@ -1230,11 +1230,9 @@ static int final_key_share(SSL *s, unsigned int context, int sent, int *al)
if (!s->hit if (!s->hit
|| (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) { || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) {
/* Nothing left we can do - just fail */ /* Nothing left we can do - just fail */
if (!sent) SSLfatal(s,
*al = SSL_AD_MISSING_EXTENSION; sent ? SSL_AD_HANDSHAKE_FAILURE : SSL_AD_MISSING_EXTENSION,
else SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
*al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
return 0; return 0;
} }
} }
...@@ -1249,8 +1247,8 @@ static int final_key_share(SSL *s, unsigned int context, int sent, int *al) ...@@ -1249,8 +1247,8 @@ static int final_key_share(SSL *s, unsigned int context, int sent, int *al)
* processing). * processing).
*/ */
if (!sent && !s->server && !tls13_generate_handshake_secret(s, NULL, 0)) { if (!sent && !s->server && !tls13_generate_handshake_secret(s, NULL, 0)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
SSLerr(SSL_F_FINAL_KEY_SHARE, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -1442,7 +1440,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, ...@@ -1442,7 +1440,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
return ret; return ret;
} }
static int final_early_data(SSL *s, unsigned int context, int sent, int *al) static int final_early_data(SSL *s, unsigned int context, int sent)
{ {
if (!sent) if (!sent)
return 1; return 1;
...@@ -1456,7 +1454,8 @@ static int final_early_data(SSL *s, unsigned int context, int sent, int *al) ...@@ -1456,7 +1454,8 @@ static int final_early_data(SSL *s, unsigned int context, int sent, int *al)
* later realised that it shouldn't have done (e.g. inconsistent * later realised that it shouldn't have done (e.g. inconsistent
* ALPN) * ALPN)
*/ */
*al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EARLY_DATA,
SSL_R_BAD_EARLY_DATA);
return 0; return 0;
} }
...@@ -1475,7 +1474,7 @@ static int final_early_data(SSL *s, unsigned int context, int sent, int *al) ...@@ -1475,7 +1474,7 @@ static int final_early_data(SSL *s, unsigned int context, int sent, int *al)
if (!tls13_change_cipher_state(s, if (!tls13_change_cipher_state(s,
SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) { SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) {
*al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */
return 0; return 0;
} }
} }
...@@ -1483,24 +1482,27 @@ static int final_early_data(SSL *s, unsigned int context, int sent, int *al) ...@@ -1483,24 +1482,27 @@ static int final_early_data(SSL *s, unsigned int context, int sent, int *al)
return 1; return 1;
} }
static int final_maxfragmentlen(SSL *ssl, unsigned int context, int sent, int *al) static int final_maxfragmentlen(SSL *s, unsigned int context, int sent)
{ {
/* /*
* Session resumption on server-side with MFL extension active * Session resumption on server-side with MFL extension active
* BUT MFL extension packet was not resent (i.e. sent == 0) * BUT MFL extension packet was not resent (i.e. sent == 0)
*/ */
if (ssl->server && ssl->hit && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session) if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
&& !sent ) { && !sent ) {
*al = SSL_AD_MISSING_EXTENSION; SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_MAXFRAGMENTLEN,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
/* Current SSL buffer is lower than requested MFL */ /* Current SSL buffer is lower than requested MFL */
if (ssl->session && USE_MAX_FRAGMENT_LENGTH_EXT(ssl->session) if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
&& ssl->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(ssl->session)) && s->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(s->session))
/* trigger a larger buffer reallocation */ /* trigger a larger buffer reallocation */
if (!ssl3_setup_buffers(ssl)) if (!ssl3_setup_buffers(s)) {
/* SSLfatal() already called */
return 0; return 0;
}
return 1; return 1;
} }
ssl/statem/extensions_clnt.c
浏览文件 @ f63a17d6
...@@ -14,7 +14,7 @@ ...@@ -14,7 +14,7 @@
EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
/* Add RI if renegotiating */ /* Add RI if renegotiating */
if (!s->renegotiate) if (!s->renegotiate)
...@@ -25,7 +25,8 @@ EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, ...@@ -25,7 +25,8 @@ EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,
|| !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished, || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished,
s->s3->previous_client_finished_len) s->s3->previous_client_finished_len)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -34,7 +35,7 @@ EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, ...@@ -34,7 +35,7 @@ EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,
EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
if (s->ext.hostname == NULL) if (s->ext.hostname == NULL)
return EXT_RETURN_NOT_SENT; return EXT_RETURN_NOT_SENT;
...@@ -50,7 +51,8 @@ EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, ...@@ -50,7 +51,8 @@ EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt,
strlen(s->ext.hostname)) strlen(s->ext.hostname))
|| !WPACKET_close(pkt) || !WPACKET_close(pkt)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -60,7 +62,7 @@ EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, ...@@ -60,7 +62,7 @@ EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt,
/* Push a Max Fragment Len extension into ClientHello */ /* Push a Max Fragment Len extension into ClientHello */
EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED) if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)
return EXT_RETURN_NOT_SENT; return EXT_RETURN_NOT_SENT;
...@@ -75,7 +77,8 @@ EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, ...@@ -75,7 +77,8 @@ EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt,
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode) || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -84,7 +87,7 @@ EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, ...@@ -84,7 +87,7 @@ EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt,
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
/* Add SRP username if there is one */ /* Add SRP username if there is one */
if (s->srp_ctx.login == NULL) if (s->srp_ctx.login == NULL)
...@@ -100,7 +103,8 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -100,7 +103,8 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context,
strlen(s->srp_ctx.login)) strlen(s->srp_ctx.login))
|| !WPACKET_close(pkt) || !WPACKET_close(pkt)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SRP, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SRP,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -137,7 +141,7 @@ static int use_ecc(SSL *s) ...@@ -137,7 +141,7 @@ static int use_ecc(SSL *s)
EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
const unsigned char *pformats; const unsigned char *pformats;
size_t num_formats; size_t num_formats;
...@@ -153,7 +157,8 @@ EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, ...@@ -153,7 +157,8 @@ EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats) || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -162,7 +167,7 @@ EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, ...@@ -162,7 +167,7 @@ EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
const uint16_t *pgroups = NULL; const uint16_t *pgroups = NULL;
size_t num_groups = 0, i; size_t num_groups = 0, i;
...@@ -180,7 +185,8 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, ...@@ -180,7 +185,8 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
/* Sub-packet for supported_groups extension */ /* Sub-packet for supported_groups extension */
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_start_sub_packet_u16(pkt)) { || !WPACKET_start_sub_packet_u16(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -208,7 +214,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, ...@@ -208,7 +214,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
size_t ticklen; size_t ticklen;
...@@ -224,7 +230,8 @@ EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, ...@@ -224,7 +230,8 @@ EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
ticklen = s->ext.session_ticket->length; ticklen = s->ext.session_ticket->length;
s->session->ext.tick = OPENSSL_malloc(ticklen); s->session->ext.tick = OPENSSL_malloc(ticklen);
if (s->session->ext.tick == NULL) { if (s->session->ext.tick == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -241,7 +248,8 @@ EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, ...@@ -241,7 +248,8 @@ EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
|| !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) { || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -250,7 +258,7 @@ EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, ...@@ -250,7 +258,7 @@ EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
size_t salglen; size_t salglen;
const uint16_t *salg; const uint16_t *salg;
...@@ -267,7 +275,8 @@ EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, ...@@ -267,7 +275,8 @@ EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
|| !tls12_copy_sigalgs(s, pkt, salg, salglen) || !tls12_copy_sigalgs(s, pkt, salg, salglen)
|| !WPACKET_close(pkt) || !WPACKET_close(pkt)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -277,7 +286,7 @@ EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, ...@@ -277,7 +286,7 @@ EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
#ifndef OPENSSL_NO_OCSP #ifndef OPENSSL_NO_OCSP
EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
int i; int i;
...@@ -294,7 +303,8 @@ EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, ...@@ -294,7 +303,8 @@ EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
|| !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp) || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
/* Sub-packet for the ids */ /* Sub-packet for the ids */
|| !WPACKET_start_sub_packet_u16(pkt)) { || !WPACKET_start_sub_packet_u16(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) { for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
...@@ -306,14 +316,16 @@ EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, ...@@ -306,14 +316,16 @@ EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
/* Sub-packet for an individual id */ /* Sub-packet for an individual id */
|| !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes) || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
|| i2d_OCSP_RESPID(id, &idbytes) != idlen) { || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
} }
if (!WPACKET_close(pkt) if (!WPACKET_close(pkt)
|| !WPACKET_start_sub_packet_u16(pkt)) { || !WPACKET_start_sub_packet_u16(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
if (s->ext.ocsp.exts) { if (s->ext.ocsp.exts) {
...@@ -321,20 +333,23 @@ EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, ...@@ -321,20 +333,23 @@ EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL); int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
if (extlen < 0) { if (extlen < 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes) if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
|| i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes) || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
!= extlen) { != extlen) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
} }
if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -344,7 +359,7 @@ EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, ...@@ -344,7 +359,7 @@ EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
return EXT_RETURN_NOT_SENT; return EXT_RETURN_NOT_SENT;
...@@ -355,7 +370,8 @@ EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -355,7 +370,8 @@ EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context,
*/ */
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
|| !WPACKET_put_bytes_u16(pkt, 0)) { || !WPACKET_put_bytes_u16(pkt, 0)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_NPN, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_NPN,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -364,7 +380,7 @@ EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -364,7 +380,7 @@ EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context,
#endif #endif
EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
s->s3->alpn_sent = 0; s->s3->alpn_sent = 0;
...@@ -377,7 +393,8 @@ EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -377,7 +393,8 @@ EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context,
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len) || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ALPN, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ALPN,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
s->s3->alpn_sent = 1; s->s3->alpn_sent = 1;
...@@ -389,7 +406,7 @@ EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -389,7 +406,7 @@ EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context,
#ifndef OPENSSL_NO_SRTP #ifndef OPENSSL_NO_SRTP
EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s); STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
int i, end; int i, end;
...@@ -402,7 +419,8 @@ EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, ...@@ -402,7 +419,8 @@ EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt,
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
/* Sub-packet for the protection profile list */ /* Sub-packet for the protection profile list */
|| !WPACKET_start_sub_packet_u16(pkt)) { || !WPACKET_start_sub_packet_u16(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -412,7 +430,8 @@ EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, ...@@ -412,7 +430,8 @@ EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt,
sk_SRTP_PROTECTION_PROFILE_value(clnt, i); sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) { if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
} }
...@@ -420,7 +439,8 @@ EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, ...@@ -420,7 +439,8 @@ EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt,
/* Add an empty use_mki value */ /* Add an empty use_mki value */
|| !WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_put_bytes_u8(pkt, 0)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -429,14 +449,15 @@ EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, ...@@ -429,14 +449,15 @@ EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt,
#endif #endif
EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
return EXT_RETURN_NOT_SENT; return EXT_RETURN_NOT_SENT;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
|| !WPACKET_put_bytes_u16(pkt, 0)) { || !WPACKET_put_bytes_u16(pkt, 0)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ETM, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ETM,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -445,7 +466,7 @@ EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -445,7 +466,7 @@ EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context,
#ifndef OPENSSL_NO_CT #ifndef OPENSSL_NO_CT
EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
if (s->ct_validation_callback == NULL) if (s->ct_validation_callback == NULL)
return EXT_RETURN_NOT_SENT; return EXT_RETURN_NOT_SENT;
...@@ -456,7 +477,8 @@ EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -456,7 +477,8 @@ EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context,
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
|| !WPACKET_put_bytes_u16(pkt, 0)) { || !WPACKET_put_bytes_u16(pkt, 0)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SCT, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SCT,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -465,11 +487,12 @@ EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -465,11 +487,12 @@ EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context,
#endif #endif
EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
|| !WPACKET_put_bytes_u16(pkt, 0)) { || !WPACKET_put_bytes_u16(pkt, 0)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EMS, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EMS,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -478,21 +501,23 @@ EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -478,21 +501,23 @@ EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context,
EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
int currv, min_version, max_version, reason; int currv, min_version, max_version, reason;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_start_sub_packet_u8(pkt)) { || !WPACKET_start_sub_packet_u8(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
reason = ssl_get_min_max_version(s, &min_version, &max_version); reason = ssl_get_min_max_version(s, &min_version, &max_version);
if (reason != 0) { if (reason != 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -505,18 +530,21 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt, ...@@ -505,18 +530,21 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
/* TODO(TLS1.3): Remove this first if clause prior to release!! */ /* TODO(TLS1.3): Remove this first if clause prior to release!! */
if (currv == TLS1_3_VERSION) { if (currv == TLS1_3_VERSION) {
if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)) { if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
} else if (!WPACKET_put_bytes_u16(pkt, currv)) { } else if (!WPACKET_put_bytes_u16(pkt, currv)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
} }
if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -529,7 +557,7 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt, ...@@ -529,7 +557,7 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
*/ */
EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
#ifndef OPENSSL_NO_TLS1_3 #ifndef OPENSSL_NO_TLS1_3
int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX; int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
...@@ -541,7 +569,8 @@ EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt, ...@@ -541,7 +569,8 @@ EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt,
|| (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE)) || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))
|| !WPACKET_close(pkt) || !WPACKET_close(pkt)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -562,7 +591,8 @@ static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id) ...@@ -562,7 +591,8 @@ static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
if (s->s3->tmp.pkey != NULL) { if (s->s3->tmp.pkey != NULL) {
if (!ossl_assert(s->hello_retry_request)) { if (!ossl_assert(s->hello_retry_request)) {
SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
/* /*
...@@ -570,9 +600,9 @@ static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id) ...@@ -570,9 +600,9 @@ static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
*/ */
key_share_key = s->s3->tmp.pkey; key_share_key = s->s3->tmp.pkey;
} else { } else {
key_share_key = ssl_generate_pkey_group(curve_id); key_share_key = ssl_generate_pkey_group(s, curve_id);
if (key_share_key == NULL) { if (key_share_key == NULL) {
SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_EVP_LIB); /* SSLfatal() already called */
return 0; return 0;
} }
} }
...@@ -581,14 +611,15 @@ static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id) ...@@ -581,14 +611,15 @@ static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key, encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key,
&encoded_point); &encoded_point);
if (encodedlen == 0) { if (encodedlen == 0) {
SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB);
goto err; goto err;
} }
/* Create KeyShareEntry */ /* Create KeyShareEntry */
if (!WPACKET_put_bytes_u16(pkt, curve_id) if (!WPACKET_put_bytes_u16(pkt, curve_id)
|| !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) { || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
...@@ -612,7 +643,7 @@ static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id) ...@@ -612,7 +643,7 @@ static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
#ifndef OPENSSL_NO_TLS1_3 #ifndef OPENSSL_NO_TLS1_3
size_t i, num_groups = 0; size_t i, num_groups = 0;
...@@ -625,7 +656,8 @@ EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, ...@@ -625,7 +656,8 @@ EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
/* KeyShare list sub-packet */ /* KeyShare list sub-packet */
|| !WPACKET_start_sub_packet_u16(pkt)) { || !WPACKET_start_sub_packet_u16(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -649,15 +681,19 @@ EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, ...@@ -649,15 +681,19 @@ EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
} }
if (curve_id == 0) { if (curve_id == 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE,
SSL_R_NO_SUITABLE_KEY_SHARE);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
if (!add_key_share(s, pkt, curve_id)) if (!add_key_share(s, pkt, curve_id)) {
/* SSLfatal() already called */
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
}
if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
#endif #endif
...@@ -666,7 +702,7 @@ EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, ...@@ -666,7 +702,7 @@ EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
} }
EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
EXT_RETURN ret = EXT_RETURN_FAIL; EXT_RETURN ret = EXT_RETURN_FAIL;
...@@ -680,7 +716,8 @@ EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -680,7 +716,8 @@ EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
|| !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie, || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
s->ext.tls13_cookie_len) s->ext.tls13_cookie_len)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_COOKIE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_COOKIE,
ERR_R_INTERNAL_ERROR);
goto end; goto end;
} }
...@@ -695,7 +732,7 @@ EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -695,7 +732,7 @@ EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
const unsigned char *id = NULL; const unsigned char *id = NULL;
size_t idlen = 0; size_t idlen = 0;
...@@ -711,7 +748,8 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, ...@@ -711,7 +748,8 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
|| (psksess != NULL || (psksess != NULL
&& psksess->ssl_version != TLS1_3_VERSION))) { && psksess->ssl_version != TLS1_3_VERSION))) {
SSL_SESSION_free(psksess); SSL_SESSION_free(psksess);
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, SSL_R_BAD_PSK); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
SSL_R_BAD_PSK);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -721,7 +759,8 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, ...@@ -721,7 +759,8 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
OPENSSL_free(s->psksession_id); OPENSSL_free(s->psksession_id);
s->psksession_id = OPENSSL_memdup(id, idlen); s->psksession_id = OPENSSL_memdup(id, idlen);
if (s->psksession_id == NULL) { if (s->psksession_id == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
s->psksession_id_len = idlen; s->psksession_id_len = idlen;
...@@ -740,14 +779,15 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, ...@@ -740,14 +779,15 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
if (s->ext.hostname == NULL if (s->ext.hostname == NULL
|| (s->ext.hostname != NULL || (s->ext.hostname != NULL
&& strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) { && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
SSL_R_INCONSISTENT_EARLY_DATA_SNI); SSL_R_INCONSISTENT_EARLY_DATA_SNI);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
} }
if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) { if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
SSL_R_INCONSISTENT_EARLY_DATA_ALPN); SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -761,7 +801,8 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, ...@@ -761,7 +801,8 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
int found = 0; int found = 0;
if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) { if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) { while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {
...@@ -772,7 +813,8 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, ...@@ -772,7 +813,8 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
} }
} }
if (!found) { if (!found) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
SSL_R_INCONSISTENT_EARLY_DATA_ALPN); SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -781,7 +823,8 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, ...@@ -781,7 +823,8 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -814,7 +857,7 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, ...@@ -814,7 +857,7 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
unsigned char *padbytes; unsigned char *padbytes;
size_t hlen; size_t hlen;
...@@ -829,7 +872,8 @@ EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt, ...@@ -829,7 +872,8 @@ EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
* this extension MUST always appear second to last. * this extension MUST always appear second to last.
*/ */
if (!WPACKET_get_total_written(pkt, &hlen)) { if (!WPACKET_get_total_written(pkt, &hlen)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PADDING, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -869,7 +913,8 @@ EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt, ...@@ -869,7 +913,8 @@ EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
|| !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) { || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PADDING, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
memset(padbytes, 0, hlen); memset(padbytes, 0, hlen);
...@@ -882,7 +927,7 @@ EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt, ...@@ -882,7 +927,7 @@ EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
* Construct the pre_shared_key extension * Construct the pre_shared_key extension
*/ */
EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
#ifndef OPENSSL_NO_TLS1_3 #ifndef OPENSSL_NO_TLS1_3
uint32_t now, agesec, agems = 0; uint32_t now, agesec, agems = 0;
...@@ -914,7 +959,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -914,7 +959,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
if (s->session->ext.ticklen != 0) { if (s->session->ext.ticklen != 0) {
/* Get the digest associated with the ciphersuite in the session */ /* Get the digest associated with the ciphersuite in the session */
if (s->session->cipher == NULL) { if (s->session->cipher == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
mdres = ssl_md(s->session->cipher->algorithm2); mdres = ssl_md(s->session->cipher->algorithm2);
...@@ -985,7 +1031,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -985,7 +1031,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
* Don't recognize this cipher so we can't use the session. * Don't recognize this cipher so we can't use the session.
* If this happens it's an application bug. * If this happens it's an application bug.
*/ */
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, SSL_R_BAD_PSK); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
SSL_R_BAD_PSK);
goto err; goto err;
} }
...@@ -994,7 +1041,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -994,7 +1041,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
* Selected ciphersuite hash does not match the hash for the PSK * Selected ciphersuite hash does not match the hash for the PSK
* session. This is an application bug. * session. This is an application bug.
*/ */
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, SSL_R_BAD_PSK); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
SSL_R_BAD_PSK);
goto err; goto err;
} }
...@@ -1005,7 +1053,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -1005,7 +1053,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_start_sub_packet_u16(pkt)) { || !WPACKET_start_sub_packet_u16(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
...@@ -1013,7 +1062,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -1013,7 +1062,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
s->session->ext.ticklen) s->session->ext.ticklen)
|| !WPACKET_put_bytes_u32(pkt, agems)) { || !WPACKET_put_bytes_u32(pkt, agems)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
} }
...@@ -1022,7 +1072,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -1022,7 +1072,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id, if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,
s->psksession_id_len) s->psksession_id_len)
|| !WPACKET_put_bytes_u32(pkt, 0)) { || !WPACKET_put_bytes_u32(pkt, 0)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
} }
...@@ -1042,7 +1093,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -1042,7 +1093,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
* calculate the HMAC of the message up to the binders * calculate the HMAC of the message up to the binders
*/ */
|| !WPACKET_fill_lengths(pkt)) { || !WPACKET_fill_lengths(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
...@@ -1051,14 +1103,16 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -1051,14 +1103,16 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
if (dores if (dores
&& tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL, && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,
resbinder, s->session, 1, 0) != 1) { resbinder, s->session, 1, 0) != 1) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
if (s->psksession != NULL if (s->psksession != NULL
&& tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL, && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,
pskbinder, s->psksession, 1, 1) != 1) { pskbinder, s->psksession, 1, 1) != 1) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
...@@ -1079,7 +1133,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -1079,7 +1133,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
* Parse the server's renegotiation binding and abort if it's not right * Parse the server's renegotiation binding and abort if it's not right
*/ */
int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
size_t expected_len = s->s3->previous_client_finished_len size_t expected_len = s->s3->previous_client_finished_len
+ s->s3->previous_server_finished_len; + s->s3->previous_server_finished_len;
...@@ -1091,49 +1145,45 @@ int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context, ...@@ -1091,49 +1145,45 @@ int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
|| s->s3->previous_client_finished_len != 0) || s->s3->previous_client_finished_len != 0)
|| !ossl_assert(expected_len == 0 || !ossl_assert(expected_len == 0
|| s->s3->previous_server_finished_len != 0)) { || s->s3->previous_server_finished_len != 0)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
/* Parse the length byte */ /* Parse the length byte */
if (!PACKET_get_1_len(pkt, &ilen)) { if (!PACKET_get_1_len(pkt, &ilen)) {
SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE, SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
SSL_R_RENEGOTIATION_ENCODING_ERR); SSL_R_RENEGOTIATION_ENCODING_ERR);
*al = SSL_AD_DECODE_ERROR;
return 0; return 0;
} }
/* Consistency check */ /* Consistency check */
if (PACKET_remaining(pkt) != ilen) { if (PACKET_remaining(pkt) != ilen) {
SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE, SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
SSL_R_RENEGOTIATION_ENCODING_ERR); SSL_R_RENEGOTIATION_ENCODING_ERR);
*al = SSL_AD_DECODE_ERROR;
return 0; return 0;
} }
/* Check that the extension matches */ /* Check that the extension matches */
if (ilen != expected_len) { if (ilen != expected_len) {
SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE, SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
SSL_R_RENEGOTIATION_MISMATCH); SSL_R_RENEGOTIATION_MISMATCH);
*al = SSL_AD_ILLEGAL_PARAMETER;
return 0; return 0;
} }
if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len) if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len)
|| memcmp(data, s->s3->previous_client_finished, || memcmp(data, s->s3->previous_client_finished,
s->s3->previous_client_finished_len) != 0) { s->s3->previous_client_finished_len) != 0) {
SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE, SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
SSL_R_RENEGOTIATION_MISMATCH); SSL_R_RENEGOTIATION_MISMATCH);
*al = SSL_AD_ILLEGAL_PARAMETER;
return 0; return 0;
} }
if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len) if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len)
|| memcmp(data, s->s3->previous_server_finished, || memcmp(data, s->s3->previous_server_finished,
s->s3->previous_server_finished_len) != 0) { s->s3->previous_server_finished_len) != 0) {
SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE, SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
SSL_R_RENEGOTIATION_MISMATCH); SSL_R_RENEGOTIATION_MISMATCH);
*al = SSL_AD_ILLEGAL_PARAMETER;
return 0; return 0;
} }
s->s3->send_connection_binding = 1; s->s3->send_connection_binding = 1;
...@@ -1143,18 +1193,21 @@ int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context, ...@@ -1143,18 +1193,21 @@ int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
/* Parse the server's max fragment len extension packet */ /* Parse the server's max fragment len extension packet */
int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
unsigned int value; unsigned int value;
if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
*al = TLS1_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
/* |value| should contains a valid max-fragment-length code. */ /* |value| should contains a valid max-fragment-length code. */
if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
*al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN,
SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
return 0; return 0;
} }
...@@ -1165,7 +1218,9 @@ int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, ...@@ -1165,7 +1218,9 @@ int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
* It must abort with SSL_AD_ILLEGAL_PARAMETER alert * It must abort with SSL_AD_ILLEGAL_PARAMETER alert
*/ */
if (value != s->ext.max_fragment_len_mode) { if (value != s->ext.max_fragment_len_mode) {
*al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN,
SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
return 0; return 0;
} }
...@@ -1179,26 +1234,30 @@ int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, ...@@ -1179,26 +1234,30 @@ int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
} }
int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
if (s->ext.hostname == NULL) { if (s->ext.hostname == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
if (PACKET_remaining(pkt) > 0) { if (PACKET_remaining(pkt) > 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
if (!s->hit) { if (!s->hit) {
if (s->session->ext.hostname != NULL) { if (s->session->ext.hostname != NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
if (s->session->ext.hostname == NULL) { if (s->session->ext.hostname == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
} }
...@@ -1208,13 +1267,14 @@ int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context, ...@@ -1208,13 +1267,14 @@ int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
unsigned int ecpointformats_len; unsigned int ecpointformats_len;
PACKET ecptformatlist; PACKET ecptformatlist;
if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) { if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
if (!s->hit) { if (!s->hit) {
...@@ -1224,7 +1284,8 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, ...@@ -1224,7 +1284,8 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
OPENSSL_free(s->session->ext.ecpointformats); OPENSSL_free(s->session->ext.ecpointformats);
s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len); s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len);
if (s->session->ext.ecpointformats == NULL) { if (s->session->ext.ecpointformats == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -1233,7 +1294,8 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, ...@@ -1233,7 +1294,8 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
if (!PACKET_copy_bytes(&ecptformatlist, if (!PACKET_copy_bytes(&ecptformatlist,
s->session->ext.ecpointformats, s->session->ext.ecpointformats,
ecpointformats_len)) { ecpointformats_len)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
} }
...@@ -1243,22 +1305,25 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, ...@@ -1243,22 +1305,25 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
#endif #endif
int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
if (s->ext.session_ticket_cb != NULL && if (s->ext.session_ticket_cb != NULL &&
!s->ext.session_ticket_cb(s, PACKET_data(pkt), !s->ext.session_ticket_cb(s, PACKET_data(pkt),
PACKET_remaining(pkt), PACKET_remaining(pkt),
s->ext.session_ticket_cb_arg)) { s->ext.session_ticket_cb_arg)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
if (!tls_use_ticket(s)) { if (!tls_use_ticket(s)) {
*al = SSL_AD_UNSUPPORTED_EXTENSION; SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
if (PACKET_remaining(pkt) > 0) { if (PACKET_remaining(pkt) > 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -1269,18 +1334,20 @@ int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context, ...@@ -1269,18 +1334,20 @@ int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
#ifndef OPENSSL_NO_OCSP #ifndef OPENSSL_NO_OCSP
int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
/* /*
* MUST only be sent if we've requested a status * MUST only be sent if we've requested a status
* request message. In TLS <= 1.2 it must also be empty. * request message. In TLS <= 1.2 it must also be empty.
*/ */
if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
*al = SSL_AD_UNSUPPORTED_EXTENSION; SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
if (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0) { if (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -1290,7 +1357,9 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context, ...@@ -1290,7 +1357,9 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
*/ */
if (chainidx != 0) if (chainidx != 0)
return 1; return 1;
return tls_process_cert_status_body(s, pkt, al);
/* SSLfatal() already called */
return tls_process_cert_status_body(s, pkt);
} }
/* Set flag to expect CertificateStatus message */ /* Set flag to expect CertificateStatus message */
...@@ -1303,7 +1372,7 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context, ...@@ -1303,7 +1372,7 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
#ifndef OPENSSL_NO_CT #ifndef OPENSSL_NO_CT
int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
/* /*
* Only take it if we asked for it - i.e if there is no CT validation * Only take it if we asked for it - i.e if there is no CT validation
...@@ -1322,7 +1391,8 @@ int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1322,7 +1391,8 @@ int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
s->ext.scts = OPENSSL_malloc(size); s->ext.scts = OPENSSL_malloc(size);
if (s->ext.scts == NULL if (s->ext.scts == NULL
|| !PACKET_copy_bytes(pkt, s->ext.scts, size)) { || !PACKET_copy_bytes(pkt, s->ext.scts, size)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
} }
...@@ -1337,16 +1407,19 @@ int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1337,16 +1407,19 @@ int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
if (custom_ext_find(&s->cert->custext, role, if (custom_ext_find(&s->cert->custext, role,
TLSEXT_TYPE_signed_certificate_timestamp, TLSEXT_TYPE_signed_certificate_timestamp,
NULL) == NULL) { NULL) == NULL) {
*al = TLS1_AD_UNSUPPORTED_EXTENSION; SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_SCT,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
if (custom_ext_parse(s, context, if (!custom_ext_parse(s, context,
TLSEXT_TYPE_signed_certificate_timestamp, TLSEXT_TYPE_signed_certificate_timestamp,
PACKET_data(pkt), PACKET_remaining(pkt), PACKET_data(pkt), PACKET_remaining(pkt),
x, chainidx, al) <= 0) x, chainidx)) {
/* SSLfatal already called */
return 0; return 0;
} }
}
return 1; return 1;
} }
...@@ -1359,21 +1432,24 @@ int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1359,21 +1432,24 @@ int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
* elements of zero length are allowed and the set of elements must exactly * elements of zero length are allowed and the set of elements must exactly
* fill the length of the block. Returns 1 on success or 0 on failure. * fill the length of the block. Returns 1 on success or 0 on failure.
*/ */
static int ssl_next_proto_validate(PACKET *pkt) static int ssl_next_proto_validate(SSL *s, PACKET *pkt)
{ {
PACKET tmp_protocol; PACKET tmp_protocol;
while (PACKET_remaining(pkt)) { while (PACKET_remaining(pkt)) {
if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol) if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
|| PACKET_remaining(&tmp_protocol) == 0) || PACKET_remaining(&tmp_protocol) == 0) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_NEXT_PROTO_VALIDATE,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
}
return 1; return 1;
} }
int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
unsigned char *selected; unsigned char *selected;
unsigned char selected_len; unsigned char selected_len;
...@@ -1385,14 +1461,15 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1385,14 +1461,15 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
/* We must have requested it. */ /* We must have requested it. */
if (s->ctx->ext.npn_select_cb == NULL) { if (s->ctx->ext.npn_select_cb == NULL) {
*al = SSL_AD_UNSUPPORTED_EXTENSION; SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_NPN,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
/* The data must be valid */ /* The data must be valid */
tmppkt = *pkt; tmppkt = *pkt;
if (!ssl_next_proto_validate(&tmppkt)) { if (!ssl_next_proto_validate(s, &tmppkt)) {
*al = SSL_AD_DECODE_ERROR; /* SSLfatal() already called */
return 0; return 0;
} }
if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len, if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
...@@ -1400,7 +1477,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1400,7 +1477,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
PACKET_remaining(pkt), PACKET_remaining(pkt),
s->ctx->ext.npn_select_cb_arg) != s->ctx->ext.npn_select_cb_arg) !=
SSL_TLSEXT_ERR_OK) { SSL_TLSEXT_ERR_OK) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -1411,7 +1489,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1411,7 +1489,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
OPENSSL_free(s->ext.npn); OPENSSL_free(s->ext.npn);
s->ext.npn = OPENSSL_malloc(selected_len); s->ext.npn = OPENSSL_malloc(selected_len);
if (s->ext.npn == NULL) { if (s->ext.npn == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_NPN,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -1424,13 +1503,14 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1424,13 +1503,14 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
#endif #endif
int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
size_t len; size_t len;
/* We must have requested it. */ /* We must have requested it. */
if (!s->s3->alpn_sent) { if (!s->s3->alpn_sent) {
*al = SSL_AD_UNSUPPORTED_EXTENSION; SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_ALPN,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
/*- /*-
...@@ -1442,17 +1522,20 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1442,17 +1522,20 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
if (!PACKET_get_net_2_len(pkt, &len) if (!PACKET_get_net_2_len(pkt, &len)
|| PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len) || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
|| PACKET_remaining(pkt) != len) { || PACKET_remaining(pkt) != len) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
OPENSSL_free(s->s3->alpn_selected); OPENSSL_free(s->s3->alpn_selected);
s->s3->alpn_selected = OPENSSL_malloc(len); s->s3->alpn_selected = OPENSSL_malloc(len);
if (s->s3->alpn_selected == NULL) { if (s->s3->alpn_selected == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
if (!PACKET_copy_bytes(pkt, s->s3->alpn_selected, len)) { if (!PACKET_copy_bytes(pkt, s->s3->alpn_selected, len)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
s->s3->alpn_selected_len = len; s->s3->alpn_selected_len = len;
...@@ -1469,7 +1552,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1469,7 +1552,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
s->session->ext.alpn_selected = s->session->ext.alpn_selected =
OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len); OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
if (s->session->ext.alpn_selected == NULL) { if (s->session->ext.alpn_selected == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
s->session->ext.alpn_selected_len = s->s3->alpn_selected_len; s->session->ext.alpn_selected_len = s->s3->alpn_selected_len;
...@@ -1480,7 +1564,7 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1480,7 +1564,7 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
#ifndef OPENSSL_NO_SRTP #ifndef OPENSSL_NO_SRTP
int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
unsigned int id, ct, mki; unsigned int id, ct, mki;
int i; int i;
...@@ -1491,24 +1575,23 @@ int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1491,24 +1575,23 @@ int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|| !PACKET_get_net_2(pkt, &id) || !PACKET_get_net_2(pkt, &id)
|| !PACKET_get_1(pkt, &mki) || !PACKET_get_1(pkt, &mki)
|| PACKET_remaining(pkt) != 0) { || PACKET_remaining(pkt) != 0) {
SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP,
SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
*al = SSL_AD_DECODE_ERROR;
return 0; return 0;
} }
if (mki != 0) { if (mki != 0) {
/* Must be no MKI, since we never offer one */ /* Must be no MKI, since we never offer one */
SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE); SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_USE_SRTP,
*al = SSL_AD_ILLEGAL_PARAMETER; SSL_R_BAD_SRTP_MKI_VALUE);
return 0; return 0;
} }
/* Throw an error if the server gave us an unsolicited extension */ /* Throw an error if the server gave us an unsolicited extension */
clnt = SSL_get_srtp_profiles(s); clnt = SSL_get_srtp_profiles(s);
if (clnt == NULL) { if (clnt == NULL) {
SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, SSL_R_NO_SRTP_PROFILES); SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP,
*al = SSL_AD_DECODE_ERROR; SSL_R_NO_SRTP_PROFILES);
return 0; return 0;
} }
...@@ -1521,20 +1604,18 @@ int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1521,20 +1604,18 @@ int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
if (prof->id == id) { if (prof->id == id) {
s->srtp_profile = prof; s->srtp_profile = prof;
*al = 0;
return 1; return 1;
} }
} }
SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP,
SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
*al = SSL_AD_DECODE_ERROR;
return 0; return 0;
} }
#endif #endif
int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
/* Ignore if inappropriate ciphersuite */ /* Ignore if inappropriate ciphersuite */
if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
...@@ -1546,7 +1627,7 @@ int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1546,7 +1627,7 @@ int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
} }
int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS; s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
if (!s->hit) if (!s->hit)
...@@ -1556,7 +1637,7 @@ int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1556,7 +1637,7 @@ int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
} }
int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
#ifndef OPENSSL_NO_TLS1_3 #ifndef OPENSSL_NO_TLS1_3
unsigned int group_id; unsigned int group_id;
...@@ -1565,14 +1646,14 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1565,14 +1646,14 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
/* Sanity check */ /* Sanity check */
if (ckey == NULL || s->s3->peer_tmp != NULL) { if (ckey == NULL || s->s3->peer_tmp != NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
if (!PACKET_get_net_2(pkt, &group_id)) { if (!PACKET_get_net_2(pkt, &group_id)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
return 0; return 0;
} }
...@@ -1581,8 +1662,8 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1581,8 +1662,8 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t i, num_groups; size_t i, num_groups;
if (PACKET_remaining(pkt) != 0) { if (PACKET_remaining(pkt) != 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
return 0; return 0;
} }
...@@ -1591,8 +1672,8 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1591,8 +1672,8 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
* already sent in the first ClientHello * already sent in the first ClientHello
*/ */
if (group_id == s->s3->group_id) { if (group_id == s->s3->group_id) {
*al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE); SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
return 0; return 0;
} }
...@@ -1604,8 +1685,8 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1604,8 +1685,8 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
} }
if (i >= num_groups if (i >= num_groups
|| !tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) { || !tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) {
*al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE); SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
return 0; return 0;
} }
...@@ -1620,35 +1701,34 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1620,35 +1701,34 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
* This isn't for the group that we sent in the original * This isn't for the group that we sent in the original
* key_share! * key_share!
*/ */
*al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE); SSL_R_BAD_KEY_SHARE);
return 0; return 0;
} }
if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt) if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
|| PACKET_remaining(&encoded_pt) == 0) { || PACKET_remaining(&encoded_pt) == 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
return 0; return 0;
} }
skey = ssl_generate_pkey(ckey); skey = ssl_generate_pkey(ckey);
if (skey == NULL) { if (skey == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE); ERR_R_MALLOC_FAILURE);
return 0; return 0;
} }
if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt), if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),
PACKET_remaining(&encoded_pt))) { PACKET_remaining(&encoded_pt))) {
*al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_ECPOINT); SSL_R_BAD_ECPOINT);
EVP_PKEY_free(skey); EVP_PKEY_free(skey);
return 0; return 0;
} }
if (ssl_derive(s, ckey, skey, 1) == 0) { if (ssl_derive(s, ckey, skey, 1) == 0) {
*al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */
SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
EVP_PKEY_free(skey); EVP_PKEY_free(skey);
return 0; return 0;
} }
...@@ -1659,15 +1739,15 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1659,15 +1739,15 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
} }
int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
PACKET cookie; PACKET cookie;
if (!PACKET_as_length_prefixed_2(pkt, &cookie) if (!PACKET_as_length_prefixed_2(pkt, &cookie)
|| !PACKET_memdup(&cookie, &s->ext.tls13_cookie, || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
&s->ext.tls13_cookie_len)) { &s->ext.tls13_cookie_len)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_COOKIE,
SSLerr(SSL_F_TLS_PARSE_STOC_COOKIE, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
return 0; return 0;
} }
...@@ -1675,16 +1755,15 @@ int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1675,16 +1755,15 @@ int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
} }
int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
unsigned long max_early_data; unsigned long max_early_data;
if (!PACKET_get_net_4(pkt, &max_early_data) if (!PACKET_get_net_4(pkt, &max_early_data)
|| PACKET_remaining(pkt) != 0) { || PACKET_remaining(pkt) != 0) {
SSLerr(SSL_F_TLS_PARSE_STOC_EARLY_DATA, SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA,
SSL_R_INVALID_MAX_EARLY_DATA); SSL_R_INVALID_MAX_EARLY_DATA);
*al = SSL_AD_DECODE_ERROR;
return 0; return 0;
} }
...@@ -1694,7 +1773,8 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, ...@@ -1694,7 +1773,8 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
} }
if (PACKET_remaining(pkt) != 0) { if (PACKET_remaining(pkt) != 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -1706,7 +1786,8 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, ...@@ -1706,7 +1786,8 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
* using the first identity, or the SNI/ALPN is not consistent so the * using the first identity, or the SNI/ALPN is not consistent so the
* server should not be accepting it. * server should not be accepting it.
*/ */
*al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_EARLY_DATA,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -1716,14 +1797,14 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, ...@@ -1716,14 +1797,14 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
} }
int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
#ifndef OPENSSL_NO_TLS1_3 #ifndef OPENSSL_NO_TLS1_3
unsigned int identity; unsigned int identity;
if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) { if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_PSK,
SSLerr(SSL_F_TLS_PARSE_STOC_PSK, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
return 0; return 0;
} }
...@@ -1736,8 +1817,8 @@ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -1736,8 +1817,8 @@ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
if (s->psksession == NULL if (s->psksession == NULL
|| s->psksession->ext.tick_identity != (int)identity) { || s->psksession->ext.tick_identity != (int)identity) {
*al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
SSLerr(SSL_F_TLS_PARSE_STOC_PSK, SSL_R_BAD_PSK_IDENTITY); SSL_R_BAD_PSK_IDENTITY);
return 0; return 0;
} }
......
ssl/statem/extensions_cust.c
浏览文件 @ f63a17d6
...@@ -112,8 +112,9 @@ void custom_ext_init(custom_ext_methods *exts) ...@@ -112,8 +112,9 @@ void custom_ext_init(custom_ext_methods *exts)
/* Pass received custom extension data to the application for parsing. */ /* Pass received custom extension data to the application for parsing. */
int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type, int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type,
const unsigned char *ext_data, size_t ext_size, X509 *x, const unsigned char *ext_data, size_t ext_size, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
int al;
custom_ext_methods *exts = &s->cert->custext; custom_ext_methods *exts = &s->cert->custext;
custom_ext_method *meth; custom_ext_method *meth;
ENDPOINT role = ENDPOINT_BOTH; ENDPOINT role = ENDPOINT_BOTH;
...@@ -138,7 +139,8 @@ int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type, ...@@ -138,7 +139,8 @@ int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type,
* extensions not sent in ClientHello. * extensions not sent in ClientHello.
*/ */
if ((meth->ext_flags & SSL_EXT_FLAG_SENT) == 0) { if ((meth->ext_flags & SSL_EXT_FLAG_SENT) == 0) {
*al = TLS1_AD_UNSUPPORTED_EXTENSION; SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_F_CUSTOM_EXT_PARSE,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
} }
...@@ -155,8 +157,13 @@ int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type, ...@@ -155,8 +157,13 @@ int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type,
if (!meth->parse_cb) if (!meth->parse_cb)
return 1; return 1;
return meth->parse_cb(s, ext_type, context, ext_data, ext_size, x, chainidx, if (meth->parse_cb(s, ext_type, context, ext_data, ext_size, x, chainidx,
al, meth->parse_arg); &al, meth->parse_arg) <= 0) {
SSLfatal(s, al, SSL_F_CUSTOM_EXT_PARSE, SSL_R_BAD_EXTENSION);
return 0;
}
return 1;
} }
/* /*
...@@ -164,11 +171,12 @@ int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type, ...@@ -164,11 +171,12 @@ int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type,
* buffer. * buffer.
*/ */
int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx, int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx,
int maxversion, int *al) int maxversion)
{ {
custom_ext_methods *exts = &s->cert->custext; custom_ext_methods *exts = &s->cert->custext;
custom_ext_method *meth; custom_ext_method *meth;
size_t i; size_t i;
int al;
for (i = 0; i < exts->meths_count; i++) { for (i = 0; i < exts->meths_count; i++) {
const unsigned char *out = NULL; const unsigned char *out = NULL;
...@@ -197,11 +205,13 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx, ...@@ -197,11 +205,13 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx,
if (meth->add_cb != NULL) { if (meth->add_cb != NULL) {
int cb_retval = meth->add_cb(s, meth->ext_type, context, &out, int cb_retval = meth->add_cb(s, meth->ext_type, context, &out,
&outlen, x, chainidx, al, &outlen, x, chainidx, &al,
meth->add_arg); meth->add_arg);
if (cb_retval < 0) if (cb_retval < 0) {
SSLfatal(s, al, SSL_F_CUSTOM_EXT_ADD, SSL_R_CALLBACK_FAILED);
return 0; /* error */ return 0; /* error */
}
if (cb_retval == 0) if (cb_retval == 0)
continue; /* skip this extension */ continue; /* skip this extension */
} }
...@@ -210,7 +220,8 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx, ...@@ -210,7 +220,8 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx,
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
|| (outlen > 0 && !WPACKET_memcpy(pkt, out, outlen)) || (outlen > 0 && !WPACKET_memcpy(pkt, out, outlen))
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CUSTOM_EXT_ADD,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
if ((context & SSL_EXT_CLIENT_HELLO) != 0) { if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
...@@ -218,7 +229,8 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx, ...@@ -218,7 +229,8 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx,
* We can't send duplicates: code logic should prevent this. * We can't send duplicates: code logic should prevent this.
*/ */
if (!ossl_assert((meth->ext_flags & SSL_EXT_FLAG_SENT) == 0)) { if (!ossl_assert((meth->ext_flags & SSL_EXT_FLAG_SENT) == 0)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CUSTOM_EXT_ADD,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
/* /*
......
ssl/statem/extensions_srvr.c
浏览文件 @ f63a17d6
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* Parse the client's renegotiation binding and abort if it's not right * Parse the client's renegotiation binding and abort if it's not right
*/ */
int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
unsigned int ilen; unsigned int ilen;
const unsigned char *data; const unsigned char *data;
...@@ -23,25 +23,22 @@ int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context, ...@@ -23,25 +23,22 @@ int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
/* Parse the length byte */ /* Parse the length byte */
if (!PACKET_get_1(pkt, &ilen) if (!PACKET_get_1(pkt, &ilen)
|| !PACKET_get_bytes(pkt, &data, ilen)) { || !PACKET_get_bytes(pkt, &data, ilen)) {
SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE, SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
SSL_R_RENEGOTIATION_ENCODING_ERR); SSL_R_RENEGOTIATION_ENCODING_ERR);
*al = SSL_AD_DECODE_ERROR;
return 0; return 0;
} }
/* Check that the extension matches */ /* Check that the extension matches */
if (ilen != s->s3->previous_client_finished_len) { if (ilen != s->s3->previous_client_finished_len) {
SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE, SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
SSL_R_RENEGOTIATION_MISMATCH); SSL_R_RENEGOTIATION_MISMATCH);
*al = SSL_AD_HANDSHAKE_FAILURE;
return 0; return 0;
} }
if (memcmp(data, s->s3->previous_client_finished, if (memcmp(data, s->s3->previous_client_finished,
s->s3->previous_client_finished_len)) { s->s3->previous_client_finished_len)) {
SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE, SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
SSL_R_RENEGOTIATION_MISMATCH); SSL_R_RENEGOTIATION_MISMATCH);
*al = SSL_AD_HANDSHAKE_FAILURE;
return 0; return 0;
} }
...@@ -74,7 +71,7 @@ int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context, ...@@ -74,7 +71,7 @@ int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
* - On session reconnect, the servername extension may be absent. * - On session reconnect, the servername extension may be absent.
*/ */
int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
unsigned int servname_type; unsigned int servname_type;
PACKET sni, hostname; PACKET sni, hostname;
...@@ -82,7 +79,8 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, ...@@ -82,7 +79,8 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
if (!PACKET_as_length_prefixed_2(pkt, &sni) if (!PACKET_as_length_prefixed_2(pkt, &sni)
/* ServerNameList must be at least 1 byte long. */ /* ServerNameList must be at least 1 byte long. */
|| PACKET_remaining(&sni) == 0) { || PACKET_remaining(&sni) == 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -100,25 +98,31 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, ...@@ -100,25 +98,31 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
if (!PACKET_get_1(&sni, &servname_type) if (!PACKET_get_1(&sni, &servname_type)
|| servname_type != TLSEXT_NAMETYPE_host_name || servname_type != TLSEXT_NAMETYPE_host_name
|| !PACKET_as_length_prefixed_2(&sni, &hostname)) { || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
if (!s->hit) { if (!s->hit) {
if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) { if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
*al = TLS1_AD_UNRECOGNIZED_NAME; SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
if (PACKET_contains_zero_byte(&hostname)) { if (PACKET_contains_zero_byte(&hostname)) {
*al = TLS1_AD_UNRECOGNIZED_NAME; SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
OPENSSL_free(s->session->ext.hostname); OPENSSL_free(s->session->ext.hostname);
s->session->ext.hostname = NULL; s->session->ext.hostname = NULL;
if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) { if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
*al = TLS1_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -140,18 +144,21 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, ...@@ -140,18 +144,21 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
} }
int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
unsigned int value; unsigned int value;
if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
*al = TLS1_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
/* Received |value| should be a valid max-fragment-length code. */ /* Received |value| should be a valid max-fragment-length code. */
if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
*al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
return 0; return 0;
} }
...@@ -161,7 +168,9 @@ int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, ...@@ -161,7 +168,9 @@ int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
* We should receive the same code as in resumed session ! * We should receive the same code as in resumed session !
*/ */
if (s->hit && s->session->ext.max_fragment_len_mode != value) { if (s->hit && s->session->ext.max_fragment_len_mode != value) {
*al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
return 0; return 0;
} }
...@@ -175,13 +184,15 @@ int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, ...@@ -175,13 +184,15 @@ int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
PACKET srp_I; PACKET srp_I;
if (!PACKET_as_length_prefixed_1(pkt, &srp_I) if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
|| PACKET_contains_zero_byte(&srp_I)) { || PACKET_contains_zero_byte(&srp_I)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CTOS_SRP,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -190,7 +201,8 @@ int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -190,7 +201,8 @@ int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
* upon resumption. Instead, we MUST ignore the login. * upon resumption. Instead, we MUST ignore the login.
*/ */
if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) { if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -200,13 +212,14 @@ int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -200,13 +212,14 @@ int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
PACKET ec_point_format_list; PACKET ec_point_format_list;
if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list) if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
|| PACKET_remaining(&ec_point_format_list) == 0) { || PACKET_remaining(&ec_point_format_list) == 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -214,7 +227,8 @@ int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, ...@@ -214,7 +227,8 @@ int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
if (!PACKET_memdup(&ec_point_format_list, if (!PACKET_memdup(&ec_point_format_list,
&s->session->ext.ecpointformats, &s->session->ext.ecpointformats,
&s->session->ext.ecpointformats_len)) { &s->session->ext.ecpointformats_len)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
} }
...@@ -224,13 +238,14 @@ int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, ...@@ -224,13 +238,14 @@ int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */
int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
if (s->ext.session_ticket_cb && if (s->ext.session_ticket_cb &&
!s->ext.session_ticket_cb(s, PACKET_data(pkt), !s->ext.session_ticket_cb(s, PACKET_data(pkt),
PACKET_remaining(pkt), PACKET_remaining(pkt),
s->ext.session_ticket_cb_arg)) { s->ext.session_ticket_cb_arg)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -238,18 +253,20 @@ int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context, ...@@ -238,18 +253,20 @@ int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
} }
int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
PACKET supported_sig_algs; PACKET supported_sig_algs;
if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs) if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
|| PACKET_remaining(&supported_sig_algs) == 0) { || PACKET_remaining(&supported_sig_algs) == 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) { if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -258,7 +275,7 @@ int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -258,7 +275,7 @@ int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
#ifndef OPENSSL_NO_OCSP #ifndef OPENSSL_NO_OCSP
int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
PACKET responder_id_list, exts; PACKET responder_id_list, exts;
...@@ -267,7 +284,8 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, ...@@ -267,7 +284,8 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
return 1; return 1;
if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) { if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -280,7 +298,8 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, ...@@ -280,7 +298,8 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
} }
if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) { if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -292,7 +311,8 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, ...@@ -292,7 +311,8 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
if (PACKET_remaining(&responder_id_list) > 0) { if (PACKET_remaining(&responder_id_list) > 0) {
s->ext.ocsp.ids = sk_OCSP_RESPID_new_null(); s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
if (s->ext.ocsp.ids == NULL) { if (s->ext.ocsp.ids == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
return 0; return 0;
} }
} else { } else {
...@@ -306,7 +326,8 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, ...@@ -306,7 +326,8 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id) if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
|| PACKET_remaining(&responder_id) == 0) { || PACKET_remaining(&responder_id) == 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -315,26 +336,32 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, ...@@ -315,26 +336,32 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
id = d2i_OCSP_RESPID(NULL, &id_data, id = d2i_OCSP_RESPID(NULL, &id_data,
(int)PACKET_remaining(&responder_id)); (int)PACKET_remaining(&responder_id));
if (id == NULL) { if (id == NULL) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
if (id_data != PACKET_end(&responder_id)) { if (id_data != PACKET_end(&responder_id)) {
OCSP_RESPID_free(id); OCSP_RESPID_free(id);
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) { if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
OCSP_RESPID_free(id); OCSP_RESPID_free(id);
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
} }
/* Read in request_extensions */ /* Read in request_extensions */
if (!PACKET_as_length_prefixed_2(pkt, &exts)) { if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -346,7 +373,8 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, ...@@ -346,7 +373,8 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
s->ext.ocsp.exts = s->ext.ocsp.exts =
d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts)); d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) { if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
} }
...@@ -357,7 +385,7 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, ...@@ -357,7 +385,7 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
/* /*
* We shouldn't accept this extension on a * We shouldn't accept this extension on a
...@@ -376,7 +404,7 @@ int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -376,7 +404,7 @@ int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
* value to send in the event of a failure. Returns: 1 on success, 0 on error. * value to send in the event of a failure. Returns: 1 on success, 0 on error.
*/ */
int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
PACKET protocol_list, save_protocol_list, protocol; PACKET protocol_list, save_protocol_list, protocol;
...@@ -385,7 +413,8 @@ int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -385,7 +413,8 @@ int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
if (!PACKET_as_length_prefixed_2(pkt, &protocol_list) if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
|| PACKET_remaining(&protocol_list) < 2) { || PACKET_remaining(&protocol_list) < 2) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -394,7 +423,8 @@ int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -394,7 +423,8 @@ int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
/* Protocol names can't be empty. */ /* Protocol names can't be empty. */
if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol) if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
|| PACKET_remaining(&protocol) == 0) { || PACKET_remaining(&protocol) == 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
} while (PACKET_remaining(&protocol_list) != 0); } while (PACKET_remaining(&protocol_list) != 0);
...@@ -404,7 +434,8 @@ int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -404,7 +434,8 @@ int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
s->s3->alpn_proposed_len = 0; s->s3->alpn_proposed_len = 0;
if (!PACKET_memdup(&save_protocol_list, if (!PACKET_memdup(&save_protocol_list,
&s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) { &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -413,7 +444,7 @@ int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -413,7 +444,7 @@ int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
#ifndef OPENSSL_NO_SRTP #ifndef OPENSSL_NO_SRTP
int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
STACK_OF(SRTP_PROTECTION_PROFILE) *srvr; STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
unsigned int ct, mki_len, id; unsigned int ct, mki_len, id;
...@@ -427,9 +458,8 @@ int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -427,9 +458,8 @@ int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
/* Pull off the length of the cipher suite list and check it is even */ /* Pull off the length of the cipher suite list and check it is even */
if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
|| !PACKET_get_sub_packet(pkt, &subpkt, ct)) { || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
*al = SSL_AD_DECODE_ERROR;
return 0; return 0;
} }
...@@ -440,9 +470,8 @@ int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -440,9 +470,8 @@ int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
while (PACKET_remaining(&subpkt)) { while (PACKET_remaining(&subpkt)) {
if (!PACKET_get_net_2(&subpkt, &id)) { if (!PACKET_get_net_2(&subpkt, &id)) {
SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
*al = SSL_AD_DECODE_ERROR;
return 0; return 0;
} }
...@@ -466,16 +495,15 @@ int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -466,16 +495,15 @@ int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
/* Now extract the MKI value as a sanity check, but discard it for now */ /* Now extract the MKI value as a sanity check, but discard it for now */
if (!PACKET_get_1(pkt, &mki_len)) { if (!PACKET_get_1(pkt, &mki_len)) {
SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
*al = SSL_AD_DECODE_ERROR;
return 0; return 0;
} }
if (!PACKET_forward(pkt, mki_len) if (!PACKET_forward(pkt, mki_len)
|| PACKET_remaining(pkt)) { || PACKET_remaining(pkt)) {
SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE); SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
*al = SSL_AD_DECODE_ERROR; SSL_R_BAD_SRTP_MKI_VALUE);
return 0; return 0;
} }
...@@ -484,7 +512,7 @@ int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -484,7 +512,7 @@ int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
#endif #endif
int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
s->ext.use_etm = 1; s->ext.use_etm = 1;
...@@ -498,7 +526,7 @@ int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -498,7 +526,7 @@ int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
* If a failure occurs then |*al| is set to an appropriate alert value. * If a failure occurs then |*al| is set to an appropriate alert value.
*/ */
int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
#ifndef OPENSSL_NO_TLS1_3 #ifndef OPENSSL_NO_TLS1_3
PACKET psk_kex_modes; PACKET psk_kex_modes;
...@@ -506,7 +534,8 @@ int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context, ...@@ -506,7 +534,8 @@ int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes) if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
|| PACKET_remaining(&psk_kex_modes) == 0) { || PACKET_remaining(&psk_kex_modes) == 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -528,7 +557,7 @@ int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context, ...@@ -528,7 +557,7 @@ int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
* If a failure occurs then |*al| is set to an appropriate alert value. * If a failure occurs then |*al| is set to an appropriate alert value.
*/ */
int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
#ifndef OPENSSL_NO_TLS1_3 #ifndef OPENSSL_NO_TLS1_3
unsigned int group_id; unsigned int group_id;
...@@ -542,14 +571,14 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -542,14 +571,14 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
/* Sanity check */ /* Sanity check */
if (s->s3->peer_tmp != NULL) { if (s->s3->peer_tmp != NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) { if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
return 0; return 0;
} }
...@@ -563,8 +592,7 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -563,8 +592,7 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
* because we verify that the length is non-zero when we process that * because we verify that the length is non-zero when we process that
* extension. * extension.
*/ */
*al = SSL_AD_MISSING_EXTENSION; SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION); SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
return 0; return 0;
} }
...@@ -573,8 +601,7 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -573,8 +601,7 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
if (!PACKET_get_net_2(&key_share_list, &group_id) if (!PACKET_get_net_2(&key_share_list, &group_id)
|| !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt) || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
|| PACKET_remaining(&encoded_pt) == 0) { || PACKET_remaining(&encoded_pt) == 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
return 0; return 0;
} }
...@@ -588,8 +615,8 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -588,8 +615,8 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
/* Check if this share is in supported_groups sent from client */ /* Check if this share is in supported_groups sent from client */
if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) { if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
*al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE); SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
return 0; return 0;
} }
...@@ -600,8 +627,7 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -600,8 +627,7 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
} }
if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) { if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
return 0; return 0;
} }
...@@ -611,8 +637,8 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -611,8 +637,8 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp, if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
PACKET_data(&encoded_pt), PACKET_data(&encoded_pt),
PACKET_remaining(&encoded_pt))) { PACKET_remaining(&encoded_pt))) {
*al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT); SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
return 0; return 0;
} }
...@@ -625,7 +651,7 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -625,7 +651,7 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
PACKET supported_groups_list; PACKET supported_groups_list;
...@@ -633,7 +659,8 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, ...@@ -633,7 +659,8 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list) if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
|| PACKET_remaining(&supported_groups_list) == 0 || PACKET_remaining(&supported_groups_list) == 0
|| (PACKET_remaining(&supported_groups_list) % 2) != 0) { || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -644,7 +671,9 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, ...@@ -644,7 +671,9 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
if (!tls1_save_u16(&supported_groups_list, if (!tls1_save_u16(&supported_groups_list,
&s->session->ext.supportedgroups, &s->session->ext.supportedgroups,
&s->session->ext.supportedgroups_len)) { &s->session->ext.supportedgroups_len)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
} }
...@@ -654,11 +683,12 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, ...@@ -654,11 +683,12 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
#endif #endif
int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
/* The extension must always be empty */ /* The extension must always be empty */
if (PACKET_remaining(pkt) != 0) { if (PACKET_remaining(pkt) != 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -669,15 +699,17 @@ int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -669,15 +699,17 @@ int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
if (PACKET_remaining(pkt) != 0) { if (PACKET_remaining(pkt) != 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
if (s->hello_retry_request) { if (s->hello_retry_request) {
*al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -685,7 +717,7 @@ int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context, ...@@ -685,7 +717,7 @@ int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
} }
int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
PACKET identities, binders, binder; PACKET identities, binders, binder;
size_t binderoffset, hashsize; size_t binderoffset, hashsize;
...@@ -702,7 +734,8 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -702,7 +734,8 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
return 1; return 1;
if (!PACKET_get_length_prefixed_2(pkt, &identities)) { if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -712,7 +745,8 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -712,7 +745,8 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
if (!PACKET_get_length_prefixed_2(&identities, &identity) if (!PACKET_get_length_prefixed_2(&identities, &identity)
|| !PACKET_get_net_4(&identities, &ticket_agel)) { || !PACKET_get_net_4(&identities, &ticket_agel)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -720,7 +754,8 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -720,7 +754,8 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
&& !s->psk_find_session_cb(s, PACKET_data(&identity), && !s->psk_find_session_cb(s, PACKET_data(&identity),
PACKET_remaining(&identity), PACKET_remaining(&identity),
&sess)) { &sess)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
return 0; return 0;
} }
...@@ -729,7 +764,8 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -729,7 +764,8 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
SSL_SESSION *sesstmp = ssl_session_dup(sess, 0); SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
if (sesstmp == NULL) { if (sesstmp == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
SSL_SESSION_free(sess); SSL_SESSION_free(sess);
...@@ -752,7 +788,8 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -752,7 +788,8 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
if (ret == TICKET_FATAL_ERR_MALLOC if (ret == TICKET_FATAL_ERR_MALLOC
|| ret == TICKET_FATAL_ERR_OTHER) { || ret == TICKET_FATAL_ERR_OTHER) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
if (ret == TICKET_NO_DECRYPT) if (ret == TICKET_NO_DECRYPT)
...@@ -803,13 +840,15 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -803,13 +840,15 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
hashsize = EVP_MD_size(md); hashsize = EVP_MD_size(md);
if (!PACKET_get_length_prefixed_2(pkt, &binders)) { if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
SSL_R_BAD_EXTENSION);
goto err; goto err;
} }
for (i = 0; i <= id; i++) { for (i = 0; i <= id; i++) {
if (!PACKET_get_length_prefixed_1(&binders, &binder)) { if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
SSL_R_BAD_EXTENSION);
goto err; goto err;
} }
} }
...@@ -819,8 +858,8 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, ...@@ -819,8 +858,8 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
(const unsigned char *)s->init_buf->data, (const unsigned char *)s->init_buf->data,
binderoffset, PACKET_data(&binder), NULL, binderoffset, PACKET_data(&binder), NULL,
sess, 0, ext) != 1) { sess, 0, ext) != 1) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR); SSL_R_BAD_EXTENSION);
goto err; goto err;
} }
...@@ -839,7 +878,7 @@ err: ...@@ -839,7 +878,7 @@ err:
*/ */
EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
if (!s->s3->send_connection_binding) if (!s->s3->send_connection_binding)
return EXT_RETURN_NOT_SENT; return EXT_RETURN_NOT_SENT;
...@@ -854,7 +893,8 @@ EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, ...@@ -854,7 +893,8 @@ EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
s->s3->previous_server_finished_len) s->s3->previous_server_finished_len)
|| !WPACKET_close(pkt) || !WPACKET_close(pkt)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -863,7 +903,7 @@ EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, ...@@ -863,7 +903,7 @@ EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
if (s->hit || s->servername_done != 1 if (s->hit || s->servername_done != 1
|| s->session->ext.hostname == NULL) || s->session->ext.hostname == NULL)
...@@ -871,7 +911,8 @@ EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, ...@@ -871,7 +911,8 @@ EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
|| !WPACKET_put_bytes_u16(pkt, 0)) { || !WPACKET_put_bytes_u16(pkt, 0)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -881,7 +922,7 @@ EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, ...@@ -881,7 +922,7 @@ EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
/* Add/include the server's max fragment len extension into ServerHello */ /* Add/include the server's max fragment len extension into ServerHello */
EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session)) if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
return EXT_RETURN_NOT_SENT; return EXT_RETURN_NOT_SENT;
...@@ -894,7 +935,8 @@ EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, ...@@ -894,7 +935,8 @@ EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode) || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -904,7 +946,7 @@ EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, ...@@ -904,7 +946,7 @@ EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
...@@ -921,7 +963,8 @@ EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, ...@@ -921,7 +963,8 @@ EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_sub_memcpy_u8(pkt, plist, plistlen) || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -932,7 +975,7 @@ EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, ...@@ -932,7 +975,7 @@ EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
const uint16_t *groups; const uint16_t *groups;
size_t numgroups, i, first = 1; size_t numgroups, i, first = 1;
...@@ -944,7 +987,8 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, ...@@ -944,7 +987,8 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
/* Get our list of supported groups */ /* Get our list of supported groups */
tls1_get_supported_groups(s, &groups, &numgroups); tls1_get_supported_groups(s, &groups, &numgroups);
if (numgroups == 0) { if (numgroups == 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -966,7 +1010,8 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, ...@@ -966,7 +1010,8 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
/* Sub-packet for supported_groups extension */ /* Sub-packet for supported_groups extension */
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_start_sub_packet_u16(pkt)) { || !WPACKET_start_sub_packet_u16(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -974,7 +1019,8 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, ...@@ -974,7 +1019,8 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
first = 0; first = 0;
} }
if (!WPACKET_put_bytes_u16(pkt, group)) { if (!WPACKET_put_bytes_u16(pkt, group)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -982,7 +1028,9 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, ...@@ -982,7 +1028,9 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
} }
if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -992,7 +1040,7 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, ...@@ -992,7 +1040,7 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
if (!s->ext.ticket_expected || !tls_use_ticket(s)) { if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
s->ext.ticket_expected = 0; s->ext.ticket_expected = 0;
...@@ -1001,7 +1049,8 @@ EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, ...@@ -1001,7 +1049,8 @@ EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
|| !WPACKET_put_bytes_u16(pkt, 0)) { || !WPACKET_put_bytes_u16(pkt, 0)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -1011,7 +1060,7 @@ EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, ...@@ -1011,7 +1060,7 @@ EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
#ifndef OPENSSL_NO_OCSP #ifndef OPENSSL_NO_OCSP
EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
if (!s->ext.status_expected) if (!s->ext.status_expected)
return EXT_RETURN_NOT_SENT; return EXT_RETURN_NOT_SENT;
...@@ -1021,7 +1070,8 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, ...@@ -1021,7 +1070,8 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
|| !WPACKET_start_sub_packet_u16(pkt)) { || !WPACKET_start_sub_packet_u16(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -1032,7 +1082,8 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, ...@@ -1032,7 +1082,8 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
*/ */
if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -1043,7 +1094,7 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, ...@@ -1043,7 +1094,7 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
const unsigned char *npa; const unsigned char *npa;
unsigned int npalen; unsigned int npalen;
...@@ -1059,7 +1110,8 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, ...@@ -1059,7 +1110,8 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
if (ret == SSL_TLSEXT_ERR_OK) { if (ret == SSL_TLSEXT_ERR_OK) {
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
|| !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) { || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -1071,7 +1123,7 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, ...@@ -1071,7 +1123,7 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
#endif #endif
EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
if (s->s3->alpn_selected == NULL) if (s->s3->alpn_selected == NULL)
return EXT_RETURN_NOT_SENT; return EXT_RETURN_NOT_SENT;
...@@ -1084,7 +1136,8 @@ EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -1084,7 +1136,8 @@ EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
s->s3->alpn_selected_len) s->s3->alpn_selected_len)
|| !WPACKET_close(pkt) || !WPACKET_close(pkt)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -1094,7 +1147,7 @@ EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -1094,7 +1147,7 @@ EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
#ifndef OPENSSL_NO_SRTP #ifndef OPENSSL_NO_SRTP
EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
if (s->srtp_profile == NULL) if (s->srtp_profile == NULL)
return EXT_RETURN_NOT_SENT; return EXT_RETURN_NOT_SENT;
...@@ -1105,7 +1158,8 @@ EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, ...@@ -1105,7 +1158,8 @@ EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
|| !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id) || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
|| !WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_put_bytes_u8(pkt, 0)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -1114,7 +1168,7 @@ EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, ...@@ -1114,7 +1168,7 @@ EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
#endif #endif
EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
if (!s->ext.use_etm) if (!s->ext.use_etm)
return EXT_RETURN_NOT_SENT; return EXT_RETURN_NOT_SENT;
...@@ -1133,7 +1187,8 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -1133,7 +1187,8 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
|| !WPACKET_put_bytes_u16(pkt, 0)) { || !WPACKET_put_bytes_u16(pkt, 0)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -1141,14 +1196,15 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -1141,14 +1196,15 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
} }
EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
return EXT_RETURN_NOT_SENT; return EXT_RETURN_NOT_SENT;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
|| !WPACKET_put_bytes_u16(pkt, 0)) { || !WPACKET_put_bytes_u16(pkt, 0)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -1157,7 +1213,7 @@ EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -1157,7 +1213,7 @@ EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
#ifndef OPENSSL_NO_TLS1_3 #ifndef OPENSSL_NO_TLS1_3
unsigned char *encodedPoint; unsigned char *encodedPoint;
...@@ -1171,7 +1227,8 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, ...@@ -1171,7 +1227,8 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_put_bytes_u16(pkt, s->s3->group_id) || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -1181,8 +1238,8 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, ...@@ -1181,8 +1238,8 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
/* Must be resuming. */ /* Must be resuming. */
if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) { if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
return EXT_RETURN_NOT_SENT; return EXT_RETURN_NOT_SENT;
...@@ -1191,27 +1248,31 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, ...@@ -1191,27 +1248,31 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) { || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
skey = ssl_generate_pkey(ckey); skey = ssl_generate_pkey(ckey);
if (skey == NULL) { if (skey == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
ERR_R_MALLOC_FAILURE);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
/* Generate encoding of server key */ /* Generate encoding of server key */
encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint); encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
if (encoded_pt_len == 0) { if (encoded_pt_len == 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
ERR_R_EC_LIB);
EVP_PKEY_free(skey); EVP_PKEY_free(skey);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len) if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
ERR_R_INTERNAL_ERROR);
EVP_PKEY_free(skey); EVP_PKEY_free(skey);
OPENSSL_free(encodedPoint); OPENSSL_free(encodedPoint);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
...@@ -1221,7 +1282,7 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, ...@@ -1221,7 +1282,7 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
/* This causes the crypto state to be updated based on the derived keys */ /* This causes the crypto state to be updated based on the derived keys */
s->s3->tmp.pkey = skey; s->s3->tmp.pkey = skey;
if (ssl_derive(s, skey, ckey, 1) == 0) { if (ssl_derive(s, skey, ckey, 1) == 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
#endif #endif
...@@ -1231,7 +1292,7 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, ...@@ -1231,7 +1292,7 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
const unsigned char cryptopro_ext[36] = { const unsigned char cryptopro_ext[36] = {
0xfd, 0xe8, /* 65000 */ 0xfd, 0xe8, /* 65000 */
...@@ -1248,7 +1309,8 @@ EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, ...@@ -1248,7 +1309,8 @@ EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
return EXT_RETURN_NOT_SENT; return EXT_RETURN_NOT_SENT;
if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) { if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -1257,7 +1319,7 @@ EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, ...@@ -1257,7 +1319,7 @@ EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al) size_t chainidx)
{ {
if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
if (s->max_early_data == 0) if (s->max_early_data == 0)
...@@ -1267,7 +1329,8 @@ EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, ...@@ -1267,7 +1329,8 @@ EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_put_bytes_u32(pkt, s->max_early_data) || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -1280,7 +1343,8 @@ EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, ...@@ -1280,7 +1343,8 @@ EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
...@@ -1288,7 +1352,7 @@ EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, ...@@ -1288,7 +1352,7 @@ EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
} }
EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al) X509 *x, size_t chainidx)
{ {
if (!s->hit) if (!s->hit)
return EXT_RETURN_NOT_SENT; return EXT_RETURN_NOT_SENT;
...@@ -1297,7 +1361,8 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, ...@@ -1297,7 +1361,8 @@ EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
|| !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity) || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL; return EXT_RETURN_FAIL;
} }
......
ssl/statem/statem.c
浏览文件 @ f63a17d6
...@@ -120,14 +120,8 @@ void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file, ...@@ -120,14 +120,8 @@ void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
s->statem.in_init = 1; s->statem.in_init = 1;
s->statem.state = MSG_FLOW_ERROR; s->statem.state = MSG_FLOW_ERROR;
ERR_put_error(ERR_LIB_SSL, func, reason, file, line); ERR_put_error(ERR_LIB_SSL, func, reason, file, line);
if (s->statem.hand_state != TLS_ST_BEFORE if (al != SSL_AD_NO_ALERT)
&& s->statem.hand_state != TLS_ST_CW_CLNT_HELLO) {
/*
* We only send an alert if we've got as far as actually sending or
* receiving a message.
*/
ssl3_send_alert(s, SSL3_AL_FATAL, al); ssl3_send_alert(s, SSL3_AL_FATAL, al);
}
} }
/* /*
...@@ -557,13 +551,12 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) ...@@ -557,13 +551,12 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
* to that state if so * to that state if so
*/ */
if (!transition(s, mt)) { if (!transition(s, mt)) {
ossl_statem_set_error(s);
return SUB_STATE_ERROR; return SUB_STATE_ERROR;
} }
if (s->s3->tmp.message_size > max_message_size(s)) { if (s->s3->tmp.message_size > max_message_size(s)) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_READ_STATE_MACHINE,
SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_EXCESSIVE_MESSAGE_SIZE); SSL_R_EXCESSIVE_MESSAGE_SIZE);
return SUB_STATE_ERROR; return SUB_STATE_ERROR;
} }
...@@ -572,8 +565,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) ...@@ -572,8 +565,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
&& s->s3->tmp.message_size > 0 && s->s3->tmp.message_size > 0
&& !grow_init_buf(s, s->s3->tmp.message_size && !grow_init_buf(s, s->s3->tmp.message_size
+ SSL3_HM_HEADER_LENGTH)) { + SSL3_HM_HEADER_LENGTH)) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_READ_STATE_MACHINE,
SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_BUF_LIB); ERR_R_BUF_LIB);
return SUB_STATE_ERROR; return SUB_STATE_ERROR;
} }
...@@ -592,8 +585,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) ...@@ -592,8 +585,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
s->first_packet = 0; s->first_packet = 0;
if (!PACKET_buf_init(&pkt, s->init_msg, len)) { if (!PACKET_buf_init(&pkt, s->init_msg, len)) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_READ_STATE_MACHINE,
SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return SUB_STATE_ERROR; return SUB_STATE_ERROR;
} }
ret = process_message(s, &pkt); ret = process_message(s, &pkt);
...@@ -645,9 +638,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) ...@@ -645,9 +638,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
default: default:
/* Shouldn't happen */ /* Shouldn't happen */
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_READ_STATE_MACHINE,
SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
ossl_statem_set_error(s);
return SUB_STATE_ERROR; return SUB_STATE_ERROR;
} }
} }
...@@ -782,7 +774,7 @@ static SUB_STATE_RETURN write_state_machine(SSL *s) ...@@ -782,7 +774,7 @@ static SUB_STATE_RETURN write_state_machine(SSL *s)
return SUB_STATE_END_HANDSHAKE; return SUB_STATE_END_HANDSHAKE;
} }
if (!get_construct_message_f(s, &pkt, &confunc, &mt)) { if (!get_construct_message_f(s, &pkt, &confunc, &mt)) {
ossl_statem_set_error(s); /* SSLfatal() already called */
return SUB_STATE_ERROR; return SUB_STATE_ERROR;
} }
if (mt == SSL3_MT_DUMMY) { if (mt == SSL3_MT_DUMMY) {
...@@ -792,12 +784,22 @@ static SUB_STATE_RETURN write_state_machine(SSL *s) ...@@ -792,12 +784,22 @@ static SUB_STATE_RETURN write_state_machine(SSL *s)
break; break;
} }
if (!WPACKET_init(&pkt, s->init_buf) if (!WPACKET_init(&pkt, s->init_buf)
|| !ssl_set_handshake_header(s, &pkt, mt) || !ssl_set_handshake_header(s, &pkt, mt)) {
|| (confunc != NULL && !confunc(s, &pkt)) WPACKET_cleanup(&pkt);
|| !ssl_close_construct_packet(s, &pkt, mt) SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_WRITE_STATE_MACHINE,
ERR_R_INTERNAL_ERROR);
return SUB_STATE_ERROR;
}
if (confunc != NULL && !confunc(s, &pkt)) {
WPACKET_cleanup(&pkt);
/* SSLfatal() already called */
return SUB_STATE_ERROR;
}
if (!ssl_close_construct_packet(s, &pkt, mt)
|| !WPACKET_finish(&pkt)) { || !WPACKET_finish(&pkt)) {
WPACKET_cleanup(&pkt); WPACKET_cleanup(&pkt);
ossl_statem_set_error(s); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_WRITE_STATE_MACHINE,
ERR_R_INTERNAL_ERROR);
return SUB_STATE_ERROR; return SUB_STATE_ERROR;
} }
......
ssl/statem/statem_clnt.c
浏览文件 @ f63a17d6
...@@ -363,8 +363,9 @@ int ossl_statem_client_read_transition(SSL *s, int mt) ...@@ -363,8 +363,9 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
err: err:
/* No valid transition found */ /* No valid transition found */
ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE); SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE,
SSLerr(SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE); SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION,
SSL_R_UNEXPECTED_MESSAGE);
return 0; return 0;
} }
...@@ -585,7 +586,7 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s) ...@@ -585,7 +586,7 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
*/ */
if (ssl3_renegotiate_check(s, 1)) { if (ssl3_renegotiate_check(s, 1)) {
if (!tls_setup_handshake(s)) { if (!tls_setup_handshake(s)) {
ossl_statem_set_error(s); /* SSLfatal() already called */
return WRITE_TRAN_ERROR; return WRITE_TRAN_ERROR;
} }
st->hand_state = TLS_ST_CW_CLNT_HELLO; st->hand_state = TLS_ST_CW_CLNT_HELLO;
...@@ -614,7 +615,7 @@ WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst) ...@@ -614,7 +615,7 @@ WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
if (SSL_IS_DTLS(s)) { if (SSL_IS_DTLS(s)) {
/* every DTLS ClientHello resets Finished MAC */ /* every DTLS ClientHello resets Finished MAC */
if (!ssl3_init_finished_mac(s)) { if (!ssl3_init_finished_mac(s)) {
ossl_statem_set_error(s); /* SSLfatal() already called */
return WORK_ERROR; return WORK_ERROR;
} }
} }
...@@ -787,6 +788,9 @@ int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt, ...@@ -787,6 +788,9 @@ int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt,
switch (st->hand_state) { switch (st->hand_state) {
default: default:
/* Shouldn't happen */ /* Shouldn't happen */
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE,
SSL_R_BAD_HANDSHAKE_STATE);
return 0; return 0;
case TLS_ST_CW_CHANGE: case TLS_ST_CW_CHANGE:
...@@ -993,7 +997,6 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) ...@@ -993,7 +997,6 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
unsigned char *p; unsigned char *p;
size_t sess_id_len; size_t sess_id_len;
int i, protverr; int i, protverr;
int al = SSL_AD_HANDSHAKE_FAILURE;
#ifndef OPENSSL_NO_COMP #ifndef OPENSSL_NO_COMP
SSL_COMP *comp; SSL_COMP *comp;
#endif #endif
...@@ -1001,23 +1004,27 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) ...@@ -1001,23 +1004,27 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
if (!WPACKET_set_max_size(pkt, SSL3_RT_MAX_PLAIN_LENGTH)) { if (!WPACKET_set_max_size(pkt, SSL3_RT_MAX_PLAIN_LENGTH)) {
/* Should not happen */ /* Should not happen */
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
/* Work out what SSL/TLS/DTLS version to use */ /* Work out what SSL/TLS/DTLS version to use */
protverr = ssl_set_client_hello_version(s); protverr = ssl_set_client_hello_version(s);
if (protverr != 0) { if (protverr != 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, protverr); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
protverr);
return 0; return 0;
} }
if (sess == NULL if (sess == NULL
|| !ssl_version_supported(s, sess->ssl_version) || !ssl_version_supported(s, sess->ssl_version)
|| !SSL_SESSION_is_resumable(sess)) { || !SSL_SESSION_is_resumable(sess)) {
if (!ssl_get_new_session(s, 0)) if (!ssl_get_new_session(s, 0)) {
/* SSLfatal() already called */
return 0; return 0;
} }
}
/* else use the pre-loaded session */ /* else use the pre-loaded session */
p = s->s3->client_random; p = s->s3->client_random;
...@@ -1040,8 +1047,11 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) ...@@ -1040,8 +1047,11 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
} }
if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random), if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random),
DOWNGRADE_NONE) <= 0) DOWNGRADE_NONE) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
}
/*- /*-
* version indicates the negotiated version: for example from * version indicates the negotiated version: for example from
...@@ -1078,7 +1088,8 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) ...@@ -1078,7 +1088,8 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
*/ */
if (!WPACKET_put_bytes_u16(pkt, s->client_version) if (!WPACKET_put_bytes_u16(pkt, s->client_version)
|| !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) { || !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -1092,7 +1103,8 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) ...@@ -1092,7 +1103,8 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
|| (sess_id_len != 0 && !WPACKET_memcpy(pkt, s->session->session_id, || (sess_id_len != 0 && !WPACKET_memcpy(pkt, s->session->session_id,
sess_id_len)) sess_id_len))
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -1101,27 +1113,33 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) ...@@ -1101,27 +1113,33 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
if (s->d1->cookie_len > sizeof(s->d1->cookie) if (s->d1->cookie_len > sizeof(s->d1->cookie)
|| !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie, || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie,
s->d1->cookie_len)) { s->d1->cookie_len)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
} }
/* Ciphers supported */ /* Ciphers supported */
if (!WPACKET_start_sub_packet_u16(pkt)) { if (!WPACKET_start_sub_packet_u16(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
/* ssl_cipher_list_to_bytes() raises SSLerr if appropriate */ /* ssl_cipher_list_to_bytes() raises SSLerr if appropriate */
if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) {
/* SSLfatal() already called */
return 0; return 0;
}
if (!WPACKET_close(pkt)) { if (!WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
/* COMPRESSION */ /* COMPRESSION */
if (!WPACKET_start_sub_packet_u8(pkt)) { if (!WPACKET_start_sub_packet_u8(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
#ifndef OPENSSL_NO_COMP #ifndef OPENSSL_NO_COMP
...@@ -1132,7 +1150,9 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) ...@@ -1132,7 +1150,9 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
for (i = 0; i < compnum; i++) { for (i = 0; i < compnum; i++) {
comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
if (!WPACKET_put_bytes_u8(pkt, comp->id)) { if (!WPACKET_put_bytes_u8(pkt, comp->id)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
} }
...@@ -1140,13 +1160,14 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) ...@@ -1140,13 +1160,14 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
#endif #endif
/* Add the NULL method */ /* Add the NULL method */
if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) { if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
/* TLS extensions */ /* TLS extensions */
if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0, &al)) { if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
return 0; return 0;
} }
...@@ -1155,36 +1176,31 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) ...@@ -1155,36 +1176,31 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt)
{ {
int al;
size_t cookie_len; size_t cookie_len;
PACKET cookiepkt; PACKET cookiepkt;
if (!PACKET_forward(pkt, 2) if (!PACKET_forward(pkt, 2)
|| !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) { || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS_PROCESS_HELLO_VERIFY,
SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto f_err; return MSG_PROCESS_ERROR;
} }
cookie_len = PACKET_remaining(&cookiepkt); cookie_len = PACKET_remaining(&cookiepkt);
if (cookie_len > sizeof(s->d1->cookie)) { if (cookie_len > sizeof(s->d1->cookie)) {
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS_PROCESS_HELLO_VERIFY,
SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_TOO_LONG); SSL_R_LENGTH_TOO_LONG);
goto f_err; return MSG_PROCESS_ERROR;
} }
if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) { if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS_PROCESS_HELLO_VERIFY,
SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto f_err; return MSG_PROCESS_ERROR;
} }
s->d1->cookie_len = cookie_len; s->d1->cookie_len = cookie_len;
return MSG_PROCESS_FINISHED_READING; return MSG_PROCESS_FINISHED_READING;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
return MSG_PROCESS_ERROR;
} }
static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars)
...@@ -1196,7 +1212,8 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) ...@@ -1196,7 +1212,8 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars)
c = ssl_get_cipher_by_char(s, cipherchars, 0); c = ssl_get_cipher_by_char(s, cipherchars, 0);
if (c == NULL) { if (c == NULL) {
/* unknown cipher */ /* unknown cipher */
SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, SSL_R_UNKNOWN_CIPHER_RETURNED); SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE,
SSL_R_UNKNOWN_CIPHER_RETURNED);
return 0; return 0;
} }
/* /*
...@@ -1204,7 +1221,8 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) ...@@ -1204,7 +1221,8 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars)
* or it's not allowed for the selected protocol. So we return an error. * or it's not allowed for the selected protocol. So we return an error.
*/ */
if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) { if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) {
SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, SSL_R_WRONG_CIPHER_RETURNED); SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE,
SSL_R_WRONG_CIPHER_RETURNED);
return 0; return 0;
} }
...@@ -1212,14 +1230,16 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) ...@@ -1212,14 +1230,16 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars)
i = sk_SSL_CIPHER_find(sk, c); i = sk_SSL_CIPHER_find(sk, c);
if (i < 0) { if (i < 0) {
/* we did not say we would use this cipher */ /* we did not say we would use this cipher */
SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, SSL_R_WRONG_CIPHER_RETURNED); SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE,
SSL_R_WRONG_CIPHER_RETURNED);
return 0; return 0;
} }
if (SSL_IS_TLS13(s) && s->s3->tmp.new_cipher != NULL if (SSL_IS_TLS13(s) && s->s3->tmp.new_cipher != NULL
&& s->s3->tmp.new_cipher->id != c->id) { && s->s3->tmp.new_cipher->id != c->id) {
/* ServerHello selected a different ciphersuite to that in the HRR */ /* ServerHello selected a different ciphersuite to that in the HRR */
SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, SSL_R_WRONG_CIPHER_RETURNED); SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE,
SSL_R_WRONG_CIPHER_RETURNED);
return 0; return 0;
} }
...@@ -1238,7 +1258,8 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) ...@@ -1238,7 +1258,8 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars)
*/ */
if (ssl_md(c->algorithm2) if (ssl_md(c->algorithm2)
!= ssl_md(s->session->cipher->algorithm2)) { != ssl_md(s->session->cipher->algorithm2)) {
SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSL_F_SET_CLIENT_CIPHERSUITE,
SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED); SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED);
return 0; return 0;
} }
...@@ -1247,7 +1268,7 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) ...@@ -1247,7 +1268,7 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars)
* Prior to TLSv1.3 resuming a session always meant using the same * Prior to TLSv1.3 resuming a session always meant using the same
* ciphersuite. * ciphersuite.
*/ */
SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE,
SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
return 0; return 0;
} }
...@@ -1273,16 +1294,16 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) ...@@ -1273,16 +1294,16 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
#endif #endif
if (!PACKET_get_net_2(pkt, &sversion)) { if (!PACKET_get_net_2(pkt, &sversion)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
/* load the server random */ /* load the server random */
if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
/* /*
...@@ -1292,8 +1313,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) ...@@ -1292,8 +1313,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
*/ */
protverr = ssl_choose_client_version(s, sversion, 1, &al); protverr = ssl_choose_client_version(s, sversion, 1, &al);
if (protverr != 0) { if (protverr != 0) {
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, protverr); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
goto f_err; protverr);
goto err;
} }
/* /*
...@@ -1301,25 +1323,25 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) ...@@ -1301,25 +1323,25 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
* message must be on a record boundary. * message must be on a record boundary.
*/ */
if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
al = SSL_AD_UNEXPECTED_MESSAGE; SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_SERVER_HELLO,
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_NOT_ON_RECORD_BOUNDARY); SSL_R_NOT_ON_RECORD_BOUNDARY);
goto f_err; goto err;
} }
/* Get the session-id. */ /* Get the session-id. */
if (!SSL_IS_TLS13(s)) { if (!SSL_IS_TLS13(s)) {
if (!PACKET_get_length_prefixed_1(pkt, &session_id)) { if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
session_id_len = PACKET_remaining(&session_id); session_id_len = PACKET_remaining(&session_id);
if (session_id_len > sizeof s->session->session_id if (session_id_len > sizeof s->session->session_id
|| session_id_len > SSL3_SESSION_ID_SIZE) { || session_id_len > SSL3_SESSION_ID_SIZE) {
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_F_TLS_PROCESS_SERVER_HELLO,
SSL_R_SSL3_SESSION_ID_TOO_LONG); SSL_R_SSL3_SESSION_ID_TOO_LONG);
goto f_err; goto err;
} }
} else { } else {
PACKET_null_init(&session_id); PACKET_null_init(&session_id);
...@@ -1327,16 +1349,16 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) ...@@ -1327,16 +1349,16 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
} }
if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) { if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) {
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
al = SSL_AD_DECODE_ERROR; SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
if (!SSL_IS_TLS13(s)) { if (!SSL_IS_TLS13(s)) {
if (!PACKET_get_1(pkt, &compression)) { if (!PACKET_get_1(pkt, &compression)) {
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
al = SSL_AD_DECODE_ERROR; SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
} else { } else {
compression = 0; compression = 0;
...@@ -1347,15 +1369,17 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) ...@@ -1347,15 +1369,17 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
PACKET_null_init(&extpkt); PACKET_null_init(&extpkt);
} else if (!PACKET_as_length_prefixed_2(pkt, &extpkt) } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
|| PACKET_remaining(pkt) != 0) { || PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_BAD_LENGTH); SSL_R_BAD_LENGTH);
goto f_err; goto err;
} }
context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO
: SSL_EXT_TLS1_2_SERVER_HELLO; : SSL_EXT_TLS1_2_SERVER_HELLO;
if (!tls_collect_extensions(s, &extpkt, context, &extensions, &al, NULL, 1)) if (!tls_collect_extensions(s, &extpkt, context, &extensions, NULL, 1)) {
goto f_err; /* SSLfatal() already called */
goto err;
}
s->hit = 0; s->hit = 0;
...@@ -1363,8 +1387,10 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) ...@@ -1363,8 +1387,10 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
/* This will set s->hit if we are resuming */ /* This will set s->hit if we are resuming */
if (!tls_parse_extension(s, TLSEXT_IDX_psk, if (!tls_parse_extension(s, TLSEXT_IDX_psk,
SSL_EXT_TLS1_3_SERVER_HELLO, SSL_EXT_TLS1_3_SERVER_HELLO,
extensions, NULL, 0, &al)) extensions, NULL, 0l)) {
goto f_err; /* SSLfatal() already called */
goto err;
}
} else { } else {
/* /*
* Check if we can resume the session based on external pre-shared * Check if we can resume the session based on external pre-shared
...@@ -1396,9 +1422,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) ...@@ -1396,9 +1422,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
s->session->cipher = pref_cipher ? s->session->cipher = pref_cipher ?
pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0); pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0);
} else { } else {
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
al = SSL_AD_INTERNAL_ERROR; SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
goto f_err; goto err;
} }
} }
...@@ -1413,10 +1439,10 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) ...@@ -1413,10 +1439,10 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
if (s->sid_ctx_length != s->session->sid_ctx_length if (s->sid_ctx_length != s->session->sid_ctx_length
|| memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
/* actually a client application bug */ /* actually a client application bug */
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_F_TLS_PROCESS_SERVER_HELLO,
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
goto f_err; goto err;
} }
} else { } else {
/* /*
...@@ -1433,7 +1459,8 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) ...@@ -1433,7 +1459,8 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
CRYPTO_atomic_add(&s->session_ctx->stats.sess_miss, 1, &discard, CRYPTO_atomic_add(&s->session_ctx->stats.sess_miss, 1, &discard,
s->session_ctx->lock); s->session_ctx->lock);
if (!ssl_get_new_session(s, 0)) { if (!ssl_get_new_session(s, 0)) {
goto f_err; /* SSLfatal() already called */
goto err;
} }
} }
...@@ -1447,11 +1474,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) ...@@ -1447,11 +1474,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
/* Session version and negotiated protocol version should match */ /* Session version and negotiated protocol version should match */
if (s->version != s->session->ssl_version) { if (s->version != s->session->ssl_version) {
al = SSL_AD_PROTOCOL_VERSION; SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_TLS_PROCESS_SERVER_HELLO,
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
SSL_R_SSL_SESSION_VERSION_MISMATCH); SSL_R_SSL_SESSION_VERSION_MISMATCH);
goto f_err; goto err;
} }
/* /*
* Now that we know the version, update the check to see if it's an allowed * Now that we know the version, update the check to see if it's an allowed
...@@ -1461,54 +1486,54 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) ...@@ -1461,54 +1486,54 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
s->s3->tmp.max_ver = s->version; s->s3->tmp.max_ver = s->version;
if (!set_client_ciphersuite(s, cipherchars)) { if (!set_client_ciphersuite(s, cipherchars)) {
al = SSL_AD_ILLEGAL_PARAMETER; /* SSLfatal() already called */
goto f_err; goto err;
} }
#ifdef OPENSSL_NO_COMP #ifdef OPENSSL_NO_COMP
if (compression != 0) { if (compression != 0) {
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO,
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
goto f_err; goto err;
} }
/* /*
* If compression is disabled we'd better not try to resume a session * If compression is disabled we'd better not try to resume a session
* using compression. * using compression.
*/ */
if (s->session->compress_meth != 0) { if (s->session->compress_meth != 0) {
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INCONSISTENT_COMPRESSION); SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SERVER_HELLO,
goto f_err; SSL_R_INCONSISTENT_COMPRESSION);
goto err;
} }
#else #else
if (s->hit && compression != s->session->compress_meth) { if (s->hit && compression != s->session->compress_meth) {
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO,
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
goto f_err; goto err;
} }
if (compression == 0) if (compression == 0)
comp = NULL; comp = NULL;
else if (!ssl_allow_compression(s)) { else if (!ssl_allow_compression(s)) {
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO,
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_COMPRESSION_DISABLED); SSL_R_COMPRESSION_DISABLED);
goto f_err; goto err;
} else { } else {
comp = ssl3_comp_find(s->ctx->comp_methods, compression); comp = ssl3_comp_find(s->ctx->comp_methods, compression);
} }
if (compression != 0 && comp == NULL) { if (compression != 0 && comp == NULL) {
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO,
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
goto f_err; goto err;
} else { } else {
s->s3->tmp.new_compression = comp; s->s3->tmp.new_compression = comp;
} }
#endif #endif
if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, &al, 1)) if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) {
goto f_err; /* SSLfatal() already called */
goto err;
}
#ifndef OPENSSL_NO_SCTP #ifndef OPENSSL_NO_SCTP
if (SSL_IS_DTLS(s) && s->hit) { if (SSL_IS_DTLS(s) && s->hit) {
...@@ -1525,8 +1550,11 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) ...@@ -1525,8 +1550,11 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
if (SSL_export_keying_material(s, sctpauthkey, if (SSL_export_keying_material(s, sctpauthkey,
sizeof(sctpauthkey), sizeof(sctpauthkey),
labelbuffer, labelbuffer,
sizeof(labelbuffer), NULL, 0, 0) <= 0) sizeof(labelbuffer), NULL, 0, 0) <= 0) {
goto f_err; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
ERR_R_INTERNAL_ERROR);
goto err;
}
BIO_ctrl(SSL_get_wbio(s), BIO_ctrl(SSL_get_wbio(s),
BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
...@@ -1542,16 +1570,13 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) ...@@ -1542,16 +1570,13 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
&& (!s->method->ssl3_enc->setup_key_block(s) && (!s->method->ssl3_enc->setup_key_block(s)
|| !s->method->ssl3_enc->change_cipher_state(s, || !s->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) { SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) {
al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_CANNOT_CHANGE_CIPHER); goto err;
goto f_err;
} }
OPENSSL_free(extensions); OPENSSL_free(extensions);
return MSG_PROCESS_CONTINUE_READING; return MSG_PROCESS_CONTINUE_READING;
f_err: err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
OPENSSL_free(extensions); OPENSSL_free(extensions);
return MSG_PROCESS_ERROR; return MSG_PROCESS_ERROR;
} }
...@@ -1561,20 +1586,20 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) ...@@ -1561,20 +1586,20 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt)
unsigned int sversion; unsigned int sversion;
const unsigned char *cipherchars; const unsigned char *cipherchars;
RAW_EXTENSION *extensions = NULL; RAW_EXTENSION *extensions = NULL;
int al;
PACKET extpkt; PACKET extpkt;
if (!PACKET_get_net_2(pkt, &sversion)) { if (!PACKET_get_net_2(pkt, &sversion)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST,
SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
/* TODO(TLS1.3): Remove the TLS1_3_VERSION_DRAFT clause before release */ /* TODO(TLS1.3): Remove the TLS1_3_VERSION_DRAFT clause before release */
if (sversion != TLS1_3_VERSION && sversion != TLS1_3_VERSION_DRAFT) { if (sversion != TLS1_3_VERSION && sversion != TLS1_3_VERSION_DRAFT) {
SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_R_WRONG_SSL_VERSION); SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
al = SSL_AD_PROTOCOL_VERSION; SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST,
goto f_err; SSL_R_WRONG_SSL_VERSION);
goto err;
} }
s->hello_retry_request = 1; s->hello_retry_request = 1;
...@@ -1587,14 +1612,14 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) ...@@ -1587,14 +1612,14 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt)
s->enc_write_ctx = NULL; s->enc_write_ctx = NULL;
if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) { if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) {
SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_R_LENGTH_MISMATCH); SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST,
al = SSL_AD_DECODE_ERROR; SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
if (!set_client_ciphersuite(s, cipherchars)) { if (!set_client_ciphersuite(s, cipherchars)) {
al = SSL_AD_ILLEGAL_PARAMETER; /* SSLfatal() already called */
goto f_err; goto err;
} }
if (!PACKET_as_length_prefixed_2(pkt, &extpkt) if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
...@@ -1602,16 +1627,18 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) ...@@ -1602,16 +1627,18 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt)
|| PACKET_remaining(&extpkt) == 0 || PACKET_remaining(&extpkt) == 0
/* Must be no trailing data after extensions */ /* Must be no trailing data after extensions */
|| PACKET_remaining(pkt) != 0) { || PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST,
SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_R_BAD_LENGTH); SSL_R_BAD_LENGTH);
goto f_err; goto err;
} }
if (!tls_collect_extensions(s, &extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, if (!tls_collect_extensions(s, &extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
&extensions, &al, NULL, 1) &extensions, NULL, 1)
|| !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
extensions, NULL, 0, &al, 1)) extensions, NULL, 0, 1)) {
goto f_err; /* SSLfatal() already called */
goto err;
}
OPENSSL_free(extensions); OPENSSL_free(extensions);
extensions = NULL; extensions = NULL;
...@@ -1625,10 +1652,10 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) ...@@ -1625,10 +1652,10 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt)
* We didn't receive a cookie or a new key_share so the next * We didn't receive a cookie or a new key_share so the next
* ClientHello will not change * ClientHello will not change
*/ */
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST,
SSL_R_NO_CHANGE_FOLLOWING_HRR); SSL_R_NO_CHANGE_FOLLOWING_HRR);
goto f_err; goto err;
} }
/* /*
...@@ -1636,8 +1663,8 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) ...@@ -1636,8 +1663,8 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt)
* a synthetic message_hash in place of ClientHello1. * a synthetic message_hash in place of ClientHello1.
*/ */
if (!create_synthetic_message_hash(s)) { if (!create_synthetic_message_hash(s)) {
al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */
goto f_err; goto err;
} }
/* /*
...@@ -1648,22 +1675,19 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) ...@@ -1648,22 +1675,19 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt)
*/ */
if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
s->init_num + SSL3_HM_HEADER_LENGTH)) { s->init_num + SSL3_HM_HEADER_LENGTH)) {
al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */
SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR); goto err;
goto f_err;
} }
return MSG_PROCESS_FINISHED_READING; return MSG_PROCESS_FINISHED_READING;
f_err: err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
OPENSSL_free(extensions); OPENSSL_free(extensions);
return MSG_PROCESS_ERROR; return MSG_PROCESS_ERROR;
} }
MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
{ {
int al, i; int i;
MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
unsigned long cert_list_len, cert_len; unsigned long cert_list_len, cert_len;
X509 *x = NULL; X509 *x = NULL;
...@@ -1675,7 +1699,8 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) ...@@ -1675,7 +1699,8 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
const SSL_CERT_LOOKUP *clu; const SSL_CERT_LOOKUP *clu;
if ((sk = sk_X509_new_null()) == NULL) { if ((sk = sk_X509_new_null()) == NULL) {
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
...@@ -1684,31 +1709,31 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) ...@@ -1684,31 +1709,31 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
|| !PACKET_get_net_3(pkt, &cert_list_len) || !PACKET_get_net_3(pkt, &cert_list_len)
|| PACKET_remaining(pkt) != cert_list_len || PACKET_remaining(pkt) != cert_list_len
|| PACKET_remaining(pkt) == 0) { || PACKET_remaining(pkt) == 0) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
for (chainidx = 0; PACKET_remaining(pkt); chainidx++) { for (chainidx = 0; PACKET_remaining(pkt); chainidx++) {
if (!PACKET_get_net_3(pkt, &cert_len) if (!PACKET_get_net_3(pkt, &cert_len)
|| !PACKET_get_bytes(pkt, &certbytes, cert_len)) { || !PACKET_get_bytes(pkt, &certbytes, cert_len)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
SSL_R_CERT_LENGTH_MISMATCH); SSL_R_CERT_LENGTH_MISMATCH);
goto f_err; goto err;
} }
certstart = certbytes; certstart = certbytes;
x = d2i_X509(NULL, (const unsigned char **)&certbytes, cert_len); x = d2i_X509(NULL, (const unsigned char **)&certbytes, cert_len);
if (x == NULL) { if (x == NULL) {
al = SSL_AD_BAD_CERTIFICATE; SSLfatal(s, SSL_AD_BAD_CERTIFICATE,
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_ASN1_LIB); SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);
goto f_err; goto err;
} }
if (certbytes != (certstart + cert_len)) { if (certbytes != (certstart + cert_len)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
SSL_R_CERT_LENGTH_MISMATCH); SSL_R_CERT_LENGTH_MISMATCH);
goto f_err; goto err;
} }
if (SSL_IS_TLS13(s)) { if (SSL_IS_TLS13(s)) {
...@@ -1716,24 +1741,28 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) ...@@ -1716,24 +1741,28 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
PACKET extensions; PACKET extensions;
if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_BAD_LENGTH); SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
goto f_err; SSL_R_BAD_LENGTH);
goto err;
} }
if (!tls_collect_extensions(s, &extensions, if (!tls_collect_extensions(s, &extensions,
SSL_EXT_TLS1_3_CERTIFICATE, &rawexts, SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
&al, NULL, chainidx == 0) NULL, chainidx == 0)
|| !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
rawexts, x, chainidx, &al, rawexts, x, chainidx,
PACKET_remaining(pkt) == 0)) { PACKET_remaining(pkt) == 0)) {
OPENSSL_free(rawexts); OPENSSL_free(rawexts);
goto f_err; /* SSLfatal already called */
goto err;
} }
OPENSSL_free(rawexts); OPENSSL_free(rawexts);
} }
if (!sk_X509_push(sk, x)) { if (!sk_X509_push(sk, x)) {
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
x = NULL; x = NULL;
...@@ -1755,16 +1784,16 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) ...@@ -1755,16 +1784,16 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
* set. The *documented* interface remains the same. * set. The *documented* interface remains the same.
*/ */
if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) { if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
al = ssl_verify_alarm_type(s->verify_result); SSLfatal(s, ssl_verify_alarm_type(s->verify_result),
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
SSL_R_CERTIFICATE_VERIFY_FAILED); SSL_R_CERTIFICATE_VERIFY_FAILED);
goto f_err; goto err;
} }
ERR_clear_error(); /* but we keep s->verify_result */ ERR_clear_error(); /* but we keep s->verify_result */
if (i > 1) { if (i > 1) {
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, i); SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
al = SSL_AD_HANDSHAKE_FAILURE; SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, i);
goto f_err; goto err;
} }
s->session->peer_chain = sk; s->session->peer_chain = sk;
...@@ -1779,18 +1808,17 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) ...@@ -1779,18 +1808,17 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) { if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
x = NULL; x = NULL;
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
goto f_err; goto err;
} }
if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL) { if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL) {
x = NULL; x = NULL;
al = SSL3_AL_FATAL; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
SSL_R_UNKNOWN_CERTIFICATE_TYPE); SSL_R_UNKNOWN_CERTIFICATE_TYPE);
goto f_err; goto err;
} }
/* /*
* Check certificate type is consistent with ciphersuite. For TLS 1.3 * Check certificate type is consistent with ciphersuite. For TLS 1.3
...@@ -1800,10 +1828,10 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) ...@@ -1800,10 +1828,10 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
if (!SSL_IS_TLS13(s)) { if (!SSL_IS_TLS13(s)) {
if ((clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0) { if ((clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0) {
x = NULL; x = NULL;
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
SSL_R_WRONG_CERTIFICATE_TYPE); SSL_R_WRONG_CERTIFICATE_TYPE);
goto f_err; goto err;
} }
} }
s->session->peer_type = certidx; s->session->peer_type = certidx;
...@@ -1819,19 +1847,13 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) ...@@ -1819,19 +1847,13 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
&& !ssl_handshake_hash(s, s->cert_verify_hash, && !ssl_handshake_hash(s, s->cert_verify_hash,
sizeof(s->cert_verify_hash), sizeof(s->cert_verify_hash),
&s->cert_verify_hash_len)) { &s->cert_verify_hash_len)) {
al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */;
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); goto err;
goto f_err;
} }
ret = MSG_PROCESS_CONTINUE_READING; ret = MSG_PROCESS_CONTINUE_READING;
goto done;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
err: err:
ossl_statem_set_error(s);
done:
X509_free(x); X509_free(x);
sk_X509_pop_free(sk, X509_free); sk_X509_pop_free(sk, X509_free);
return ret; return ret;
...@@ -2169,12 +2191,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) ...@@ -2169,12 +2191,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
goto err; goto err;
} }
rv = tls12_check_peer_sigalg(s, sigalg, pkey); if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) {
if (rv == -1) { /* SSLfatal() already called */
al = SSL_AD_INTERNAL_ERROR;
goto err;
} else if (rv == 0) {
al = SSL_AD_DECODE_ERROR;
goto err; goto err;
} }
#ifdef SSL_DEBUG #ifdef SSL_DEBUG
...@@ -2238,8 +2256,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) ...@@ -2238,8 +2256,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(&params), tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(&params),
PACKET_remaining(&params)); PACKET_remaining(&params));
if (tbslen == 0) { if (tbslen == 0) {
al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
...@@ -2260,6 +2277,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) ...@@ -2260,6 +2277,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
/* Might be wrong key type, check it */ /* Might be wrong key type, check it */
if (ssl3_check_cert_and_algorithm(s)) { if (ssl3_check_cert_and_algorithm(s)) {
/* Otherwise this shouldn't happen */ /* Otherwise this shouldn't happen */
/* SSLfatal() already called TODO: Fix this */
al = SSL_AD_INTERNAL_ERROR; al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
} else { } else {
...@@ -2277,17 +2295,15 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) ...@@ -2277,17 +2295,15 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
return MSG_PROCESS_CONTINUE_READING; return MSG_PROCESS_CONTINUE_READING;
err: err:
if (al != -1) /* TODO: Remove this SSLfatal call and convert the rest of this function */
ssl3_send_alert(s, SSL3_AL_FATAL, al); SSLfatal(s, al != -1 ? al : SSL_AD_NO_ALERT, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
ossl_statem_set_error(s); ERR_R_INTERNAL_ERROR);
EVP_MD_CTX_free(md_ctx); EVP_MD_CTX_free(md_ctx);
return MSG_PROCESS_ERROR; return MSG_PROCESS_ERROR;
} }
MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
{ {
MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
int al = SSL_AD_DECODE_ERROR;
size_t i; size_t i;
/* Clear certificate validity flags */ /* Clear certificate validity flags */
...@@ -2305,92 +2321,98 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) ...@@ -2305,92 +2321,98 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
/* TODO(TLS1.3) need to process request context, for now ignore */ /* TODO(TLS1.3) need to process request context, for now ignore */
if (!PACKET_get_length_prefixed_1(pkt, &reqctx)) { if (!PACKET_get_length_prefixed_1(pkt, &reqctx)) {
SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto err; return MSG_PROCESS_ERROR;
} }
if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_BAD_LENGTH); SSLfatal(s, SSL_AD_DECODE_ERROR,
goto err; SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
SSL_R_BAD_LENGTH);
return MSG_PROCESS_ERROR;
} }
if (!tls_collect_extensions(s, &extensions, if (!tls_collect_extensions(s, &extensions,
SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
&rawexts, &al, NULL, 1) &rawexts, NULL, 1)
|| !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
rawexts, NULL, 0, &al, 1)) { rawexts, NULL, 0, 1)) {
/* SSLfatal() already called */
OPENSSL_free(rawexts); OPENSSL_free(rawexts);
goto err; return MSG_PROCESS_ERROR;
} }
OPENSSL_free(rawexts); OPENSSL_free(rawexts);
if (!tls1_process_sigalgs(s)) { if (!tls1_process_sigalgs(s)) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
goto err; SSL_R_BAD_LENGTH);
return MSG_PROCESS_ERROR;
} }
} else { } else {
PACKET ctypes; PACKET ctypes;
/* get the certificate types */ /* get the certificate types */
if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) { if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) {
SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto err; return MSG_PROCESS_ERROR;
} }
if (!PACKET_memdup(&ctypes, &s->s3->tmp.ctype, &s->s3->tmp.ctype_len)) { if (!PACKET_memdup(&ctypes, &s->s3->tmp.ctype, &s->s3->tmp.ctype_len)) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
goto err; ERR_R_INTERNAL_ERROR);
return MSG_PROCESS_ERROR;
} }
if (SSL_USE_SIGALGS(s)) { if (SSL_USE_SIGALGS(s)) {
PACKET sigalgs; PACKET sigalgs;
if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) { if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) {
SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto err; return MSG_PROCESS_ERROR;
} }
if (!tls1_save_sigalgs(s, &sigalgs)) { if (!tls1_save_sigalgs(s, &sigalgs)) {
SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
SSL_R_SIGNATURE_ALGORITHMS_ERROR); SSL_R_SIGNATURE_ALGORITHMS_ERROR);
goto err; return MSG_PROCESS_ERROR;
} }
if (!tls1_process_sigalgs(s)) { if (!tls1_process_sigalgs(s)) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
ERR_R_MALLOC_FAILURE); ERR_R_MALLOC_FAILURE);
goto err; return MSG_PROCESS_ERROR;
} }
} }
/* get the CA RDNs */ /* get the CA RDNs */
if (!parse_ca_names(s, pkt, &al)) if (!parse_ca_names(s, pkt)) {
goto err; /* SSLfatal() already called */
return MSG_PROCESS_ERROR;
}
} }
if (PACKET_remaining(pkt) != 0) { if (PACKET_remaining(pkt) != 0) {
SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
goto err; SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
SSL_R_LENGTH_MISMATCH);
return MSG_PROCESS_ERROR;
} }
/* we should setup a certificate to return.... */ /* we should setup a certificate to return.... */
s->s3->tmp.cert_req = 1; s->s3->tmp.cert_req = 1;
ret = MSG_PROCESS_CONTINUE_PROCESSING; return MSG_PROCESS_CONTINUE_PROCESSING;
goto done;
err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
done:
return ret;
} }
MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
{ {
int al = SSL_AD_DECODE_ERROR;
unsigned int ticklen; unsigned int ticklen;
unsigned long ticket_lifetime_hint, age_add = 0; unsigned long ticket_lifetime_hint, age_add = 0;
unsigned int sess_len; unsigned int sess_len;
...@@ -2407,8 +2429,9 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) ...@@ -2407,8 +2429,9 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
|| (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) != ticklen) || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) != ticklen)
|| (SSL_IS_TLS13(s) || (SSL_IS_TLS13(s)
&& (ticklen == 0 || PACKET_remaining(pkt) < ticklen))) { && (ticklen == 0 || PACKET_remaining(pkt) < ticklen))) {
SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH); SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
goto f_err; SSL_R_LENGTH_MISMATCH);
goto err;
} }
/* /*
...@@ -2435,9 +2458,10 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) ...@@ -2435,9 +2458,10 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
* one * one
*/ */
if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
goto f_err; ERR_R_MALLOC_FAILURE);
goto err;
} }
if (i & SSL_SESS_CACHE_CLIENT) { if (i & SSL_SESS_CACHE_CLIENT) {
...@@ -2463,13 +2487,14 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) ...@@ -2463,13 +2487,14 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
s->session->ext.tick = OPENSSL_malloc(ticklen); s->session->ext.tick = OPENSSL_malloc(ticklen);
if (s->session->ext.tick == NULL) { if (s->session->ext.tick == NULL) {
SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) { if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
s->session->ext.tick_lifetime_hint = ticket_lifetime_hint; s->session->ext.tick_lifetime_hint = ticket_lifetime_hint;
...@@ -2483,12 +2508,12 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) ...@@ -2483,12 +2508,12 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
|| PACKET_remaining(pkt) != 0 || PACKET_remaining(pkt) != 0
|| !tls_collect_extensions(s, &extpkt, || !tls_collect_extensions(s, &extpkt,
SSL_EXT_TLS1_3_NEW_SESSION_TICKET, SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
&exts, &al, NULL, 1) &exts, NULL, 1)
|| !tls_parse_all_extensions(s, || !tls_parse_all_extensions(s,
SSL_EXT_TLS1_3_NEW_SESSION_TICKET, SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
exts, NULL, 0, &al, 1)) { exts, NULL, 0, 1)) {
SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_BAD_EXTENSION); /* SSLfatal() already called */
goto f_err; goto err;
} }
} }
...@@ -2510,7 +2535,8 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) ...@@ -2510,7 +2535,8 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
if (!EVP_Digest(s->session->ext.tick, ticklen, if (!EVP_Digest(s->session->ext.tick, ticklen,
s->session->session_id, &sess_len, s->session->session_id, &sess_len,
EVP_sha256(), NULL)) { EVP_sha256(), NULL)) {
SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_EVP_LIB); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
ERR_R_EVP_LIB);
goto err; goto err;
} }
s->session->session_id_length = sess_len; s->session->session_id_length = sess_len;
...@@ -2523,46 +2549,41 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) ...@@ -2523,46 +2549,41 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
} }
return MSG_PROCESS_CONTINUE_READING; return MSG_PROCESS_CONTINUE_READING;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
err: err:
ossl_statem_set_error(s);
OPENSSL_free(exts); OPENSSL_free(exts);
return MSG_PROCESS_ERROR; return MSG_PROCESS_ERROR;
} }
/* /*
* In TLSv1.3 this is called from the extensions code, otherwise it is used to * In TLSv1.3 this is called from the extensions code, otherwise it is used to
* parse a separate message. Returns 1 on success or 0 on failure. On failure * parse a separate message. Returns 1 on success or 0 on failure
* |*al| is populated with a suitable alert code.
*/ */
int tls_process_cert_status_body(SSL *s, PACKET *pkt, int *al) int tls_process_cert_status_body(SSL *s, PACKET *pkt)
{ {
size_t resplen; size_t resplen;
unsigned int type; unsigned int type;
if (!PACKET_get_1(pkt, &type) if (!PACKET_get_1(pkt, &type)
|| type != TLSEXT_STATUSTYPE_ocsp) { || type != TLSEXT_STATUSTYPE_ocsp) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
SSL_R_UNSUPPORTED_STATUS_TYPE); SSL_R_UNSUPPORTED_STATUS_TYPE);
return 0; return 0;
} }
if (!PACKET_get_net_3_len(pkt, &resplen) if (!PACKET_get_net_3_len(pkt, &resplen)
|| PACKET_remaining(pkt) != resplen) { || PACKET_remaining(pkt) != resplen) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
return 0; return 0;
} }
s->ext.ocsp.resp = OPENSSL_malloc(resplen); s->ext.ocsp.resp = OPENSSL_malloc(resplen);
if (s->ext.ocsp.resp == NULL) { if (s->ext.ocsp.resp == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, ERR_R_MALLOC_FAILURE); ERR_R_MALLOC_FAILURE);
return 0; return 0;
} }
if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) { if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
return 0; return 0;
} }
s->ext.ocsp.resp_len = resplen; s->ext.ocsp.resp_len = resplen;
...@@ -2573,11 +2594,8 @@ int tls_process_cert_status_body(SSL *s, PACKET *pkt, int *al) ...@@ -2573,11 +2594,8 @@ int tls_process_cert_status_body(SSL *s, PACKET *pkt, int *al)
MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt)
{ {
int al; if (!tls_process_cert_status_body(s, pkt)) {
/* SSLfatal() already called */
if (!tls_process_cert_status_body(s, pkt, &al)) {
ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
return MSG_PROCESS_ERROR; return MSG_PROCESS_ERROR;
} }
...@@ -2590,14 +2608,14 @@ MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt) ...@@ -2590,14 +2608,14 @@ MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt)
* In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0 * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0
* on failure. * on failure.
*/ */
int tls_process_initial_server_flight(SSL *s, int *al) int tls_process_initial_server_flight(SSL *s)
{ {
/* /*
* at this point we check that we have the required stuff from * at this point we check that we have the required stuff from
* the server * the server
*/ */
if (!ssl3_check_cert_and_algorithm(s)) { if (!ssl3_check_cert_and_algorithm(s)) {
*al = SSL_AD_HANDSHAKE_FAILURE; /* SSLfatal() already called */
return 0; return 0;
} }
...@@ -2611,14 +2629,14 @@ int tls_process_initial_server_flight(SSL *s, int *al) ...@@ -2611,14 +2629,14 @@ int tls_process_initial_server_flight(SSL *s, int *al)
int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg); int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
if (ret == 0) { if (ret == 0) {
*al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE,
SSLerr(SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT, SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
SSL_R_INVALID_STATUS_RESPONSE); SSL_R_INVALID_STATUS_RESPONSE);
return 0; return 0;
} }
if (ret < 0) { if (ret < 0) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSLerr(SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT, SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
ERR_R_MALLOC_FAILURE); ERR_R_MALLOC_FAILURE);
return 0; return 0;
} }
...@@ -2627,7 +2645,7 @@ int tls_process_initial_server_flight(SSL *s, int *al) ...@@ -2627,7 +2645,7 @@ int tls_process_initial_server_flight(SSL *s, int *al)
if (s->ct_validation_callback != NULL) { if (s->ct_validation_callback != NULL) {
/* Note we validate the SCTs whether or not we abort on error */ /* Note we validate the SCTs whether or not we abort on error */
if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) { if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) {
*al = SSL_AD_HANDSHAKE_FAILURE; /* SSLfatal() already called */
return 0; return 0;
} }
} }
...@@ -2638,35 +2656,28 @@ int tls_process_initial_server_flight(SSL *s, int *al) ...@@ -2638,35 +2656,28 @@ int tls_process_initial_server_flight(SSL *s, int *al)
MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
{ {
int al = SSL_AD_INTERNAL_ERROR;
if (PACKET_remaining(pkt) > 0) { if (PACKET_remaining(pkt) > 0) {
/* should contain no data */ /* should contain no data */
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_DONE,
SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto err; return MSG_PROCESS_ERROR;
} }
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) { if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
if (SRP_Calc_A_param(s) <= 0) { if (SRP_Calc_A_param(s) <= 0) {
SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, SSL_R_SRP_A_CALC); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_DONE,
goto err; SSL_R_SRP_A_CALC);
return MSG_PROCESS_ERROR;
} }
} }
#endif #endif
/* if (!tls_process_initial_server_flight(s)) {
* Error queue messages are generated directly by this function /* SSLfatal() already called */
*/ return MSG_PROCESS_ERROR;
if (!tls_process_initial_server_flight(s, &al)) }
goto err;
return MSG_PROCESS_FINISHED_READING; return MSG_PROCESS_FINISHED_READING;
err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
return MSG_PROCESS_ERROR;
} }
static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt, int *al) static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt, int *al)
...@@ -3189,7 +3200,7 @@ int tls_client_key_exchange_post_work(SSL *s) ...@@ -3189,7 +3200,7 @@ int tls_client_key_exchange_post_work(SSL *s)
static int ssl3_check_client_certificate(SSL *s) static int ssl3_check_client_certificate(SSL *s)
{ {
/* If no suitable signature algorithm can't use certificate */ /* If no suitable signature algorithm can't use certificate */
if (!tls_choose_sigalg(s, NULL) || s->s3->tmp.sigalg == NULL) if (!tls_choose_sigalg(s, 0) || s->s3->tmp.sigalg == NULL)
return 0; return 0;
/* /*
* If strict mode check suitability of chain before using it. This also * If strict mode check suitability of chain before using it. This also
...@@ -3216,8 +3227,9 @@ WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst) ...@@ -3216,8 +3227,9 @@ WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst)
return WORK_MORE_A; return WORK_MORE_A;
} }
if (i == 0) { if (i == 0) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
ossl_statem_set_error(s); SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE,
SSL_R_CALLBACK_FAILED);
return WORK_ERROR; return WORK_ERROR;
} }
s->rwstate = SSL_NOTHING; s->rwstate = SSL_NOTHING;
...@@ -3262,8 +3274,7 @@ WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst) ...@@ -3262,8 +3274,7 @@ WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst)
} else { } else {
s->s3->tmp.cert_req = 2; s->s3->tmp.cert_req = 2;
if (!ssl3_digest_cached_records(s, 0)) { if (!ssl3_digest_cached_records(s, 0)) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); /* SSLfatal() already called */
ossl_statem_set_error(s);
return WORK_ERROR; return WORK_ERROR;
} }
} }
...@@ -3278,39 +3289,36 @@ WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst) ...@@ -3278,39 +3289,36 @@ WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst)
int tls_construct_client_certificate(SSL *s, WPACKET *pkt) int tls_construct_client_certificate(SSL *s, WPACKET *pkt)
{ {
int al = SSL_AD_INTERNAL_ERROR;
/* /*
* TODO(TLS1.3): For now we must put an empty context. Needs to be filled in * TODO(TLS1.3): For now we must put an empty context. Needs to be filled in
* later * later
*/ */
if ((SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) {
|| !ssl3_output_cert_chain(s, pkt, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
return 0;
}
if (!ssl3_output_cert_chain(s, pkt,
(s->s3->tmp.cert_req == 2) ? NULL (s->s3->tmp.cert_req == 2) ? NULL
: s->cert->key, : s->cert->key)) {
&al)) { /* SSLfatal() already called */
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); return 0;
goto err;
} }
if (SSL_IS_TLS13(s) if (SSL_IS_TLS13(s)
&& SSL_IS_FIRST_HANDSHAKE(s) && SSL_IS_FIRST_HANDSHAKE(s)
&& (!s->method->ssl3_enc->change_cipher_state(s, && (!s->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) { SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE,
SSL_R_CANNOT_CHANGE_CIPHER);
/* /*
* This is a fatal error, which leaves * This is a fatal error, which leaves enc_write_ctx in an inconsisten
* enc_write_ctx in an inconsistent state * state and thus ssl3_send_alert may crash.
* and thus ssl3_send_alert may crash.
*/ */
SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE,
SSL_R_CANNOT_CHANGE_CIPHER);
return 0; return 0;
} }
return 1; return 1;
err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
return 0;
} }
int ssl3_check_cert_and_algorithm(SSL *s) int ssl3_check_cert_and_algorithm(SSL *s)
...@@ -3318,7 +3326,6 @@ int ssl3_check_cert_and_algorithm(SSL *s) ...@@ -3318,7 +3326,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
const SSL_CERT_LOOKUP *clu; const SSL_CERT_LOOKUP *clu;
size_t idx; size_t idx;
long alg_k, alg_a; long alg_k, alg_a;
int al = SSL_AD_HANDSHAKE_FAILURE;
alg_k = s->s3->tmp.new_cipher->algorithm_mkey; alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
alg_a = s->s3->tmp.new_cipher->algorithm_auth; alg_a = s->s3->tmp.new_cipher->algorithm_auth;
...@@ -3332,37 +3339,38 @@ int ssl3_check_cert_and_algorithm(SSL *s) ...@@ -3332,37 +3339,38 @@ int ssl3_check_cert_and_algorithm(SSL *s)
/* Check certificate is recognised and suitable for cipher */ /* Check certificate is recognised and suitable for cipher */
if (clu == NULL || (alg_a & clu->amask) == 0) { if (clu == NULL || (alg_a & clu->amask) == 0) {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_SIGNING_CERT); SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
goto f_err; SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
SSL_R_MISSING_SIGNING_CERT);
return 0;
} }
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
if (clu->amask & SSL_aECDSA) { if (clu->amask & SSL_aECDSA) {
if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s)) if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s))
return 1; return 1;
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT); SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
goto f_err; SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT);
return 0;
} }
#endif #endif
#ifndef OPENSSL_NO_RSA #ifndef OPENSSL_NO_RSA
if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) { if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
SSL_R_MISSING_RSA_ENCRYPTING_CERT); SSL_R_MISSING_RSA_ENCRYPTING_CERT);
goto f_err; return 0;
} }
#endif #endif
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH
if ((alg_k & SSL_kDHE) && (s->s3->peer_tmp == NULL)) { if ((alg_k & SSL_kDHE) && (s->s3->peer_tmp == NULL)) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; return 0;
} }
#endif #endif
return 1; return 1;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
return 0;
} }
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
...@@ -3393,9 +3401,8 @@ MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt) ...@@ -3393,9 +3401,8 @@ MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt)
{ {
if (PACKET_remaining(pkt) > 0) { if (PACKET_remaining(pkt) > 0) {
/* should contain no data */ /* should contain no data */
SSLerr(SSL_F_TLS_PROCESS_HELLO_REQ, SSL_R_LENGTH_MISMATCH); SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_REQ,
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); SSL_R_LENGTH_MISMATCH);
ossl_statem_set_error(s);
return MSG_PROCESS_ERROR; return MSG_PROCESS_ERROR;
} }
...@@ -3421,30 +3428,29 @@ MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt) ...@@ -3421,30 +3428,29 @@ MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt)
static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt) static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt)
{ {
int al = SSL_AD_INTERNAL_ERROR;
PACKET extensions; PACKET extensions;
RAW_EXTENSION *rawexts = NULL; RAW_EXTENSION *rawexts = NULL;
if (!PACKET_as_length_prefixed_2(pkt, &extensions) if (!PACKET_as_length_prefixed_2(pkt, &extensions)
|| PACKET_remaining(pkt) != 0) { || PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS,
SSLerr(SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto err; goto err;
} }
if (!tls_collect_extensions(s, &extensions, if (!tls_collect_extensions(s, &extensions,
SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts,
&al, NULL, 1) NULL, 1)
|| !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
rawexts, NULL, 0, &al, 1)) rawexts, NULL, 0, 1)) {
/* SSLfatal() already called */
goto err; goto err;
}
OPENSSL_free(rawexts); OPENSSL_free(rawexts);
return MSG_PROCESS_CONTINUE_READING; return MSG_PROCESS_CONTINUE_READING;
err: err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
OPENSSL_free(rawexts); OPENSSL_free(rawexts);
return MSG_PROCESS_ERROR; return MSG_PROCESS_ERROR;
} }
...@@ -3474,8 +3480,11 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt) ...@@ -3474,8 +3480,11 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
/* Set disabled masks for this session */ /* Set disabled masks for this session */
ssl_set_client_disabled(s); ssl_set_client_disabled(s);
if (sk == NULL) if (sk == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
}
#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
# if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6 # if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
...@@ -3507,7 +3516,8 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt) ...@@ -3507,7 +3516,8 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
continue; continue;
if (!s->method->put_cipher_by_char(c, pkt, &len)) { if (!s->method->put_cipher_by_char(c, pkt, &len)) {
SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -3528,7 +3538,8 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt) ...@@ -3528,7 +3538,8 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
} }
if (totlen == 0 || !maxverok) { if (totlen == 0 || !maxverok) {
SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, SSL_R_NO_CIPHERS_AVAILABLE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES,
SSL_R_NO_CIPHERS_AVAILABLE);
if (!maxverok) if (!maxverok)
ERR_add_error_data(1, "No ciphers enabled for max supported " ERR_add_error_data(1, "No ciphers enabled for max supported "
...@@ -3543,7 +3554,8 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt) ...@@ -3543,7 +3554,8 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
0, NULL, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 0, NULL, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
}; };
if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
} }
...@@ -3552,7 +3564,8 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt) ...@@ -3552,7 +3564,8 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
0, NULL, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 0, NULL, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
}; };
if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
} }
......
ssl/statem/statem_lib.c
浏览文件 @ f63a17d6
...@@ -70,8 +70,10 @@ int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype) ...@@ -70,8 +70,10 @@ int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
int tls_setup_handshake(SSL *s) int tls_setup_handshake(SSL *s)
{ {
if (!ssl3_init_finished_mac(s)) if (!ssl3_init_finished_mac(s)) {
/* SSLfatal() already called */
return 0; return 0;
}
/* Reset any extension flags */ /* Reset any extension flags */
memset(s->ext.extflags, 0, sizeof(s->ext.extflags)); memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
...@@ -194,6 +196,7 @@ static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, ...@@ -194,6 +196,7 @@ static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
hashlen = s->cert_verify_hash_len; hashlen = s->cert_verify_hash_len;
} else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE, } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
EVP_MAX_MD_SIZE, &hashlen)) { EVP_MAX_MD_SIZE, &hashlen)) {
/* SSLfatal() already called */
return 0; return 0;
} }
...@@ -203,8 +206,11 @@ static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, ...@@ -203,8 +206,11 @@ static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
size_t retlen; size_t retlen;
retlen = BIO_get_mem_data(s->s3->handshake_buffer, hdata); retlen = BIO_get_mem_data(s->s3->handshake_buffer, hdata);
if (retlen <= 0) if (retlen <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
}
*hdatalen = retlen; *hdatalen = retlen;
} }
...@@ -242,7 +248,7 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) ...@@ -242,7 +248,7 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
/* Get the data to be signed */ /* Get the data to be signed */
if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
goto err; goto err;
} }
...@@ -322,7 +328,6 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) ...@@ -322,7 +328,6 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
#ifndef OPENSSL_NO_GOST #ifndef OPENSSL_NO_GOST
unsigned char *gost_data = NULL; unsigned char *gost_data = NULL;
#endif #endif
int al = SSL_AD_INTERNAL_ERROR;
MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
int j; int j;
unsigned int len; unsigned int len;
...@@ -335,49 +340,50 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) ...@@ -335,49 +340,50 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
EVP_PKEY_CTX *pctx = NULL; EVP_PKEY_CTX *pctx = NULL;
if (mctx == NULL) { if (mctx == NULL) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
goto f_err; ERR_R_MALLOC_FAILURE);
goto err;
} }
peer = s->session->peer; peer = s->session->peer;
pkey = X509_get0_pubkey(peer); pkey = X509_get0_pubkey(peer);
if (pkey == NULL) if (pkey == NULL) {
goto f_err; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
ERR_R_INTERNAL_ERROR);
goto err;
}
if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) { if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY,
SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
al = SSL_AD_ILLEGAL_PARAMETER; goto err;
goto f_err;
} }
if (SSL_USE_SIGALGS(s)) { if (SSL_USE_SIGALGS(s)) {
int rv;
unsigned int sigalg; unsigned int sigalg;
if (!PACKET_get_net_2(pkt, &sigalg)) { if (!PACKET_get_net_2(pkt, &sigalg)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
goto f_err; SSL_R_BAD_PACKET);
goto err;
} }
rv = tls12_check_peer_sigalg(s, sigalg, pkey); if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
if (rv == -1) { /* SSLfatal() already called */
goto f_err; goto err;
} else if (rv == 0) {
al = SSL_AD_DECODE_ERROR;
goto f_err;
} }
#ifdef SSL_DEBUG #ifdef SSL_DEBUG
fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
#endif #endif
} else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
goto f_err; ERR_R_INTERNAL_ERROR);
goto err;
} }
if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) { if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
al = SSL_AD_INTERNAL_ERROR; ERR_R_INTERNAL_ERROR);
goto f_err; goto err;
} }
/* Check for broken implementations of GOST ciphersuites */ /* Check for broken implementations of GOST ciphersuites */
...@@ -396,35 +402,36 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) ...@@ -396,35 +402,36 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
} else } else
#endif #endif
if (!PACKET_get_net_2(pkt, &len)) { if (!PACKET_get_net_2(pkt, &len)) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH); SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
al = SSL_AD_DECODE_ERROR; SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
j = EVP_PKEY_size(pkey); j = EVP_PKEY_size(pkey);
if (((int)len > j) || ((int)PACKET_remaining(pkt) > j) if (((int)len > j) || ((int)PACKET_remaining(pkt) > j)
|| (PACKET_remaining(pkt) == 0)) { || (PACKET_remaining(pkt) == 0)) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE); SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
al = SSL_AD_DECODE_ERROR; SSL_R_WRONG_SIGNATURE_SIZE);
goto f_err; goto err;
} }
if (!PACKET_get_bytes(pkt, &data, len)) { if (!PACKET_get_bytes(pkt, &data, len)) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH); SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
al = SSL_AD_DECODE_ERROR; SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
goto f_err; goto err;
} }
#ifdef SSL_DEBUG #ifdef SSL_DEBUG
fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md)); fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md));
#endif #endif
if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) { if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
goto f_err; ERR_R_EVP_LIB);
goto err;
} }
#ifndef OPENSSL_NO_GOST #ifndef OPENSSL_NO_GOST
{ {
...@@ -433,8 +440,9 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) ...@@ -433,8 +440,9 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
|| pktype == NID_id_GostR3410_2012_256 || pktype == NID_id_GostR3410_2012_256
|| pktype == NID_id_GostR3410_2012_512) { || pktype == NID_id_GostR3410_2012_512) {
if ((gost_data = OPENSSL_malloc(len)) == NULL) { if ((gost_data = OPENSSL_malloc(len)) == NULL) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
goto f_err; SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
goto err;
} }
BUF_reverse(gost_data, data, len); BUF_reverse(gost_data, data, len);
data = gost_data; data = gost_data;
...@@ -446,8 +454,9 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) ...@@ -446,8 +454,9 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
|| EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
RSA_PSS_SALTLEN_DIGEST) <= 0) { RSA_PSS_SALTLEN_DIGEST) <= 0) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
goto f_err; ERR_R_EVP_LIB);
goto err;
} }
} }
if (s->version == SSL3_VERSION) { if (s->version == SSL3_VERSION) {
...@@ -455,29 +464,26 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) ...@@ -455,29 +464,26 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
|| !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
(int)s->session->master_key_length, (int)s->session->master_key_length,
s->session->master_key)) { s->session->master_key)) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
goto f_err; ERR_R_EVP_LIB);
goto err;
} }
if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) { if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
al = SSL_AD_DECRYPT_ERROR; SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE); SSL_R_BAD_SIGNATURE);
goto f_err; goto err;
} }
} else { } else {
j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen); j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
if (j <= 0) { if (j <= 0) {
al = SSL_AD_DECRYPT_ERROR; SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE); SSL_R_BAD_SIGNATURE);
goto f_err; goto err;
} }
} }
ret = MSG_PROCESS_CONTINUE_READING; ret = MSG_PROCESS_CONTINUE_READING;
if (0) { err:
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
}
BIO_free(s->s3->handshake_buffer); BIO_free(s->s3->handshake_buffer);
s->s3->handshake_buffer = NULL; s->s3->handshake_buffer = NULL;
EVP_MD_CTX_free(mctx); EVP_MD_CTX_free(mctx);
...@@ -589,14 +595,13 @@ int tls_construct_key_update(SSL *s, WPACKET *pkt) ...@@ -589,14 +595,13 @@ int tls_construct_key_update(SSL *s, WPACKET *pkt)
MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
{ {
int al;
unsigned int updatetype; unsigned int updatetype;
s->key_update_count++; s->key_update_count++;
if (s->key_update_count > MAX_KEY_UPDATE_MESSAGES) { if (s->key_update_count > MAX_KEY_UPDATE_MESSAGES) {
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, SSL_R_TOO_MANY_KEY_UPDATES); SSL_R_TOO_MANY_KEY_UPDATES);
goto err; return MSG_PROCESS_ERROR;
} }
/* /*
...@@ -604,16 +609,16 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) ...@@ -604,16 +609,16 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
* be on a record boundary. * be on a record boundary.
*/ */
if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
al = SSL_AD_UNEXPECTED_MESSAGE; SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE,
SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, SSL_R_NOT_ON_RECORD_BOUNDARY); SSL_R_NOT_ON_RECORD_BOUNDARY);
goto err; return MSG_PROCESS_ERROR;
} }
if (!PACKET_get_1(pkt, &updatetype) if (!PACKET_get_1(pkt, &updatetype)
|| PACKET_remaining(pkt) != 0) { || PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE,
SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, SSL_R_BAD_KEY_UPDATE); SSL_R_BAD_KEY_UPDATE);
goto err; return MSG_PROCESS_ERROR;
} }
/* /*
...@@ -622,9 +627,9 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) ...@@ -622,9 +627,9 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
*/ */
if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
&& updatetype != SSL_KEY_UPDATE_REQUESTED) { && updatetype != SSL_KEY_UPDATE_REQUESTED) {
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, SSL_R_BAD_KEY_UPDATE); SSL_R_BAD_KEY_UPDATE);
goto err; return MSG_PROCESS_ERROR;
} }
/* /*
...@@ -636,16 +641,11 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) ...@@ -636,16 +641,11 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
if (!tls13_update_key(s, 0)) { if (!tls13_update_key(s, 0)) {
al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */
SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, ERR_R_INTERNAL_ERROR); return MSG_PROCESS_ERROR;
goto err;
} }
return MSG_PROCESS_FINISHED_READING; return MSG_PROCESS_FINISHED_READING;
err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
return MSG_PROCESS_ERROR;
} }
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
...@@ -680,7 +680,6 @@ static void ssl3_take_mac(SSL *s) ...@@ -680,7 +680,6 @@ static void ssl3_take_mac(SSL *s)
MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
{ {
int al;
size_t remain; size_t remain;
remain = PACKET_remaining(pkt); remain = PACKET_remaining(pkt);
...@@ -694,32 +693,32 @@ MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) ...@@ -694,32 +693,32 @@ MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
&& remain != DTLS1_CCS_HEADER_LENGTH + 1) && remain != DTLS1_CCS_HEADER_LENGTH + 1)
|| (s->version != DTLS1_BAD_VER || (s->version != DTLS1_BAD_VER
&& remain != DTLS1_CCS_HEADER_LENGTH - 1)) { && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
SSL_R_BAD_CHANGE_CIPHER_SPEC); SSL_R_BAD_CHANGE_CIPHER_SPEC);
goto f_err; return MSG_PROCESS_ERROR;
} }
} else { } else {
if (remain != 0) { if (remain != 0) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
SSL_R_BAD_CHANGE_CIPHER_SPEC); SSL_R_BAD_CHANGE_CIPHER_SPEC);
goto f_err; return MSG_PROCESS_ERROR;
} }
} }
/* Check we have a cipher to change to */ /* Check we have a cipher to change to */
if (s->s3->tmp.new_cipher == NULL) { if (s->s3->tmp.new_cipher == NULL) {
al = SSL_AD_UNEXPECTED_MESSAGE; SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY); SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
goto f_err; return MSG_PROCESS_ERROR;
} }
s->s3->change_cipher_spec = 1; s->s3->change_cipher_spec = 1;
if (!ssl3_do_change_cipher_spec(s)) { if (!ssl3_do_change_cipher_spec(s)) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; return MSG_PROCESS_ERROR;
} }
if (SSL_IS_DTLS(s)) { if (SSL_IS_DTLS(s)) {
...@@ -739,15 +738,10 @@ MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) ...@@ -739,15 +738,10 @@ MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
} }
return MSG_PROCESS_CONTINUE_READING; return MSG_PROCESS_CONTINUE_READING;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
return MSG_PROCESS_ERROR;
} }
MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
{ {
int al = SSL_AD_INTERNAL_ERROR;
size_t md_len; size_t md_len;
...@@ -760,41 +754,41 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) ...@@ -760,41 +754,41 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
* message must be on a record boundary. * message must be on a record boundary.
*/ */
if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
al = SSL_AD_UNEXPECTED_MESSAGE; SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_NOT_ON_RECORD_BOUNDARY); SSL_R_NOT_ON_RECORD_BOUNDARY);
goto f_err; return MSG_PROCESS_ERROR;
} }
/* If this occurs, we have missed a message */ /* If this occurs, we have missed a message */
if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) { if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) {
al = SSL_AD_UNEXPECTED_MESSAGE; SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_GOT_A_FIN_BEFORE_A_CCS); SSL_R_GOT_A_FIN_BEFORE_A_CCS);
goto f_err; return MSG_PROCESS_ERROR;
} }
s->s3->change_cipher_spec = 0; s->s3->change_cipher_spec = 0;
md_len = s->s3->tmp.peer_finish_md_len; md_len = s->s3->tmp.peer_finish_md_len;
if (md_len != PACKET_remaining(pkt)) { if (md_len != PACKET_remaining(pkt)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED,
SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_BAD_DIGEST_LENGTH); SSL_R_BAD_DIGEST_LENGTH);
goto f_err; return MSG_PROCESS_ERROR;
} }
if (CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md, if (CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md,
md_len) != 0) { md_len) != 0) {
al = SSL_AD_DECRYPT_ERROR; SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED,
SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_DIGEST_CHECK_FAILED); SSL_R_DIGEST_CHECK_FAILED);
goto f_err; return MSG_PROCESS_ERROR;
} }
/* /*
* Copy the finished so we can use it for renegotiation checks * Copy the finished so we can use it for renegotiation checks
*/ */
if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) { if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED,
SSLerr(SSL_F_TLS_PROCESS_FINISHED, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; return MSG_PROCESS_ERROR;
} }
if (s->server) { if (s->server) {
memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md,
...@@ -814,31 +808,29 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) ...@@ -814,31 +808,29 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
if (s->server) { if (s->server) {
if (!s->method->ssl3_enc->change_cipher_state(s, if (!s->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) { SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_CANNOT_CHANGE_CIPHER); /* SSLfatal() already called */
goto f_err; return MSG_PROCESS_ERROR;
} }
} else { } else {
if (!s->method->ssl3_enc->generate_master_secret(s, if (!s->method->ssl3_enc->generate_master_secret(s,
s->master_secret, s->handshake_secret, 0, s->master_secret, s->handshake_secret, 0,
&s->session->master_key_length)) { &s->session->master_key_length)) {
SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_CANNOT_CHANGE_CIPHER); /* SSLfatal() already called */
goto f_err; return MSG_PROCESS_ERROR;
} }
if (!s->method->ssl3_enc->change_cipher_state(s, if (!s->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) { SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_CANNOT_CHANGE_CIPHER); /* SSLfatal() already called */
goto f_err; return MSG_PROCESS_ERROR;
}
if (!tls_process_initial_server_flight(s)) {
/* SSLfatal() already called */
return MSG_PROCESS_ERROR;
} }
if (!tls_process_initial_server_flight(s, &al))
goto f_err;
} }
} }
return MSG_PROCESS_FINISHED_READING; return MSG_PROCESS_FINISHED_READING;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
return MSG_PROCESS_ERROR;
} }
int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt) int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
...@@ -853,42 +845,42 @@ int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt) ...@@ -853,42 +845,42 @@ int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
} }
/* Add a certificate to the WPACKET */ /* Add a certificate to the WPACKET */
static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain, static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
int *al)
{ {
int len; int len;
unsigned char *outbytes; unsigned char *outbytes;
len = i2d_X509(x, NULL); len = i2d_X509(x, NULL);
if (len < 0) { if (len < 0) {
SSLerr(SSL_F_SSL_ADD_CERT_TO_WPACKET, ERR_R_BUF_LIB); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
*al = SSL_AD_INTERNAL_ERROR; ERR_R_BUF_LIB);
return 0; return 0;
} }
if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes) if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
|| i2d_X509(x, &outbytes) != len) { || i2d_X509(x, &outbytes) != len) {
SSLerr(SSL_F_SSL_ADD_CERT_TO_WPACKET, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
*al = SSL_AD_INTERNAL_ERROR; ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
if (SSL_IS_TLS13(s) if (SSL_IS_TLS13(s)
&& !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x, && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
chain, al)) chain)) {
/* SSLfatal() already called */
return 0; return 0;
}
return 1; return 1;
} }
/* Add certificate chain to provided WPACKET */ /* Add certificate chain to provided WPACKET */
static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk, int *al) static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
{ {
int i, chain_count; int i, chain_count;
X509 *x; X509 *x;
STACK_OF(X509) *extra_certs; STACK_OF(X509) *extra_certs;
STACK_OF(X509) *chain = NULL; STACK_OF(X509) *chain = NULL;
X509_STORE *chain_store; X509_STORE *chain_store;
int tmpal = SSL_AD_INTERNAL_ERROR;
if (cpk == NULL || cpk->x509 == NULL) if (cpk == NULL || cpk->x509 == NULL)
return 1; return 1;
...@@ -914,13 +906,15 @@ static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk, int *al) ...@@ -914,13 +906,15 @@ static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk, int *al)
X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new(); X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new();
if (xs_ctx == NULL) { if (xs_ctx == NULL) {
SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
goto err; ERR_R_MALLOC_FAILURE);
return 0;
} }
if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) { if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
X509_STORE_CTX_free(xs_ctx); X509_STORE_CTX_free(xs_ctx);
SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_X509_LIB); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
goto err; ERR_R_X509_LIB);
return 0;
} }
/* /*
* It is valid for the chain not to be complete (because normally we * It is valid for the chain not to be complete (because normally we
...@@ -941,52 +935,58 @@ static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk, int *al) ...@@ -941,52 +935,58 @@ static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk, int *al)
SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK); SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK);
#endif #endif
X509_STORE_CTX_free(xs_ctx); X509_STORE_CTX_free(xs_ctx);
SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, i); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
goto err; return 0;
} }
chain_count = sk_X509_num(chain); chain_count = sk_X509_num(chain);
for (i = 0; i < chain_count; i++) { for (i = 0; i < chain_count; i++) {
x = sk_X509_value(chain, i); x = sk_X509_value(chain, i);
if (!ssl_add_cert_to_wpacket(s, pkt, x, i, &tmpal)) { if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
/* SSLfatal() already called */
X509_STORE_CTX_free(xs_ctx); X509_STORE_CTX_free(xs_ctx);
goto err; return 0;
} }
} }
X509_STORE_CTX_free(xs_ctx); X509_STORE_CTX_free(xs_ctx);
} else { } else {
i = ssl_security_cert_chain(s, extra_certs, x, 0); i = ssl_security_cert_chain(s, extra_certs, x, 0);
if (i != 1) { if (i != 1) {
SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, i); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
goto err; return 0;
}
if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
/* SSLfatal() already called */
return 0;
} }
if (!ssl_add_cert_to_wpacket(s, pkt, x, 0, &tmpal))
goto err;
for (i = 0; i < sk_X509_num(extra_certs); i++) { for (i = 0; i < sk_X509_num(extra_certs); i++) {
x = sk_X509_value(extra_certs, i); x = sk_X509_value(extra_certs, i);
if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1, &tmpal)) if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
goto err; /* SSLfatal() already called */
return 0;
}
} }
} }
return 1; return 1;
err:
*al = tmpal;
return 0;
} }
unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk, unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
int *al)
{ {
int tmpal = SSL_AD_INTERNAL_ERROR; if (!WPACKET_start_sub_packet_u24(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
ERR_R_INTERNAL_ERROR);
return 0;
}
if (!ssl_add_cert_chain(s, pkt, cpk))
return 0;
if (!WPACKET_start_sub_packet_u24(pkt) if (!WPACKET_close(pkt)) {
|| !ssl_add_cert_chain(s, pkt, cpk, &tmpal) SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
|| !WPACKET_close(pkt)) { ERR_R_INTERNAL_ERROR);
SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_INTERNAL_ERROR);
*al = tmpal;
return 0; return 0;
} }
return 1; return 1;
} }
...@@ -2009,20 +2009,22 @@ int create_synthetic_message_hash(SSL *s) ...@@ -2009,20 +2009,22 @@ int create_synthetic_message_hash(SSL *s)
/* Get the hash of the initial ClientHello */ /* Get the hash of the initial ClientHello */
if (!ssl3_digest_cached_records(s, 0) if (!ssl3_digest_cached_records(s, 0)
|| !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) { || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) {
SSLerr(SSL_F_CREATE_SYNTHETIC_MESSAGE_HASH, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
return 0; return 0;
} }
/* Reinitialise the transcript hash */ /* Reinitialise the transcript hash */
if (!ssl3_init_finished_mac(s)) if (!ssl3_init_finished_mac(s)) {
/* SSLfatal() already called */
return 0; return 0;
}
/* Inject the synthetic message_hash message */ /* Inject the synthetic message_hash message */
msghdr[0] = SSL3_MT_MESSAGE_HASH; msghdr[0] = SSL3_MT_MESSAGE_HASH;
msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen; msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH) if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
|| !ssl3_finish_mac(s, hashval, hashlen)) { || !ssl3_finish_mac(s, hashval, hashlen)) {
SSLerr(SSL_F_CREATE_SYNTHETIC_MESSAGE_HASH, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
return 0; return 0;
} }
...@@ -2034,21 +2036,22 @@ static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b) ...@@ -2034,21 +2036,22 @@ static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
return X509_NAME_cmp(*a, *b); return X509_NAME_cmp(*a, *b);
} }
int parse_ca_names(SSL *s, PACKET *pkt, int *al) int parse_ca_names(SSL *s, PACKET *pkt)
{ {
STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp); STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
X509_NAME *xn = NULL; X509_NAME *xn = NULL;
PACKET cadns; PACKET cadns;
if (ca_sk == NULL) { if (ca_sk == NULL) {
SSLerr(SSL_F_PARSE_CA_NAMES, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
goto decerr; ERR_R_MALLOC_FAILURE);
goto err;
} }
/* get the CA RDNs */ /* get the CA RDNs */
if (!PACKET_get_length_prefixed_2(pkt, &cadns)) { if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES,
SSLerr(SSL_F_PARSE_CA_NAMES, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto decerr; goto err;
} }
while (PACKET_remaining(&cadns)) { while (PACKET_remaining(&cadns)) {
...@@ -2057,23 +2060,26 @@ int parse_ca_names(SSL *s, PACKET *pkt, int *al) ...@@ -2057,23 +2060,26 @@ int parse_ca_names(SSL *s, PACKET *pkt, int *al)
if (!PACKET_get_net_2(&cadns, &name_len) if (!PACKET_get_net_2(&cadns, &name_len)
|| !PACKET_get_bytes(&cadns, &namebytes, name_len)) { || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
SSLerr(SSL_F_PARSE_CA_NAMES, SSL_R_LENGTH_MISMATCH); SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
goto decerr; SSL_R_LENGTH_MISMATCH);
goto err;
} }
namestart = namebytes; namestart = namebytes;
if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) { if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
SSLerr(SSL_F_PARSE_CA_NAMES, ERR_R_ASN1_LIB); SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
goto decerr; ERR_R_ASN1_LIB);
goto err;
} }
if (namebytes != (namestart + name_len)) { if (namebytes != (namestart + name_len)) {
SSLerr(SSL_F_PARSE_CA_NAMES, SSL_R_CA_DN_LENGTH_MISMATCH); SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
goto decerr; SSL_R_CA_DN_LENGTH_MISMATCH);
goto err;
} }
if (!sk_X509_NAME_push(ca_sk, xn)) { if (!sk_X509_NAME_push(ca_sk, xn)) {
SSLerr(SSL_F_PARSE_CA_NAMES, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
*al = SSL_AD_INTERNAL_ERROR; ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
xn = NULL; xn = NULL;
...@@ -2084,8 +2090,6 @@ int parse_ca_names(SSL *s, PACKET *pkt, int *al) ...@@ -2084,8 +2090,6 @@ int parse_ca_names(SSL *s, PACKET *pkt, int *al)
return 1; return 1;
decerr:
*al = SSL_AD_DECODE_ERROR;
err: err:
sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
X509_NAME_free(xn); X509_NAME_free(xn);
...@@ -2097,8 +2101,11 @@ int construct_ca_names(SSL *s, WPACKET *pkt) ...@@ -2097,8 +2101,11 @@ int construct_ca_names(SSL *s, WPACKET *pkt)
const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s); const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s);
/* Start sub-packet for client CA list */ /* Start sub-packet for client CA list */
if (!WPACKET_start_sub_packet_u16(pkt)) if (!WPACKET_start_sub_packet_u16(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
}
if (ca_sk != NULL) { if (ca_sk != NULL) {
int i; int i;
...@@ -2113,26 +2120,34 @@ int construct_ca_names(SSL *s, WPACKET *pkt) ...@@ -2113,26 +2120,34 @@ int construct_ca_names(SSL *s, WPACKET *pkt)
|| !WPACKET_sub_allocate_bytes_u16(pkt, namelen, || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
&namebytes) &namebytes)
|| i2d_X509_NAME(name, &namebytes) != namelen) { || i2d_X509_NAME(name, &namebytes) != namelen) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
} }
} }
if (!WPACKET_close(pkt)) if (!WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
}
return 1; return 1;
} }
/* Create a buffer containing data to be signed for server key exchange */ /* Create a buffer containing data to be signed for server key exchange */
size_t construct_key_exchange_tbs(const SSL *s, unsigned char **ptbs, size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
const void *param, size_t paramlen) const void *param, size_t paramlen)
{ {
size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen; size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
unsigned char *tbs = OPENSSL_malloc(tbslen); unsigned char *tbs = OPENSSL_malloc(tbslen);
if (tbs == NULL) if (tbs == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS,
ERR_R_MALLOC_FAILURE);
return 0; return 0;
}
memcpy(tbs, s->s3->client_random, SSL3_RANDOM_SIZE); memcpy(tbs, s->s3->client_random, SSL3_RANDOM_SIZE);
memcpy(tbs + SSL3_RANDOM_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE); memcpy(tbs + SSL3_RANDOM_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE);
......
ssl/statem/statem_locl.h
浏览文件 @ f63a17d6
...@@ -58,9 +58,9 @@ typedef int (*confunc_f) (SSL *s, WPACKET *pkt); ...@@ -58,9 +58,9 @@ typedef int (*confunc_f) (SSL *s, WPACKET *pkt);
int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups, int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
size_t num_groups, int checkallow); size_t num_groups, int checkallow);
int create_synthetic_message_hash(SSL *s); int create_synthetic_message_hash(SSL *s);
int parse_ca_names(SSL *s, PACKET *pkt, int *al); int parse_ca_names(SSL *s, PACKET *pkt);
int construct_ca_names(SSL *s, WPACKET *pkt); int construct_ca_names(SSL *s, WPACKET *pkt);
size_t construct_key_exchange_tbs(const SSL *s, unsigned char **ptbs, size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
const void *param, size_t paramlen); const void *param, size_t paramlen);
/* /*
...@@ -95,7 +95,7 @@ __owur int tls_get_message_body(SSL *s, size_t *len); ...@@ -95,7 +95,7 @@ __owur int tls_get_message_body(SSL *s, size_t *len);
__owur int dtls_get_message(SSL *s, int *mt, size_t *len); __owur int dtls_get_message(SSL *s, int *mt, size_t *len);
/* Message construction and processing functions */ /* Message construction and processing functions */
__owur int tls_process_initial_server_flight(SSL *s, int *al); __owur int tls_process_initial_server_flight(SSL *s);
__owur MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt);
__owur MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt);
__owur int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt); __owur int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt);
...@@ -112,7 +112,7 @@ __owur int tls_construct_client_hello(SSL *s, WPACKET *pkt); ...@@ -112,7 +112,7 @@ __owur int tls_construct_client_hello(SSL *s, WPACKET *pkt);
__owur MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt);
__owur MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt);
__owur MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt);
__owur int tls_process_cert_status_body(SSL *s, PACKET *pkt, int *al); __owur int tls_process_cert_status_body(SSL *s, PACKET *pkt);
__owur MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt);
__owur MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt);
__owur int tls_construct_cert_verify(SSL *s, WPACKET *pkt); __owur int tls_construct_cert_verify(SSL *s, WPACKET *pkt);
...@@ -164,17 +164,15 @@ typedef enum ext_return_en { ...@@ -164,17 +164,15 @@ typedef enum ext_return_en {
__owur int extension_is_relevant(SSL *s, unsigned int extctx, __owur int extension_is_relevant(SSL *s, unsigned int extctx,
unsigned int thisctx); unsigned int thisctx);
__owur int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, __owur int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
RAW_EXTENSION **res, int *al, size_t *len, RAW_EXTENSION **res, size_t *len, int init);
int init);
__owur int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, __owur int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
RAW_EXTENSION *exts, X509 *x, size_t chainidx, RAW_EXTENSION *exts, X509 *x, size_t chainidx);
int *al);
__owur int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, __owur int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts,
X509 *x, size_t chainidx, int *al, int fin); X509 *x, size_t chainidx, int fin);
__owur int should_add_extension(SSL *s, unsigned int extctx, __owur int should_add_extension(SSL *s, unsigned int extctx,
unsigned int thisctx, int max_version); unsigned int thisctx, int max_version);
__owur int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, __owur int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
__owur int tls_psk_do_binder(SSL *s, const EVP_MD *md, __owur int tls_psk_do_binder(SSL *s, const EVP_MD *md,
const unsigned char *msgstart, const unsigned char *msgstart,
...@@ -184,98 +182,98 @@ __owur int tls_psk_do_binder(SSL *s, const EVP_MD *md, ...@@ -184,98 +182,98 @@ __owur int tls_psk_do_binder(SSL *s, const EVP_MD *md,
/* Server Extension processing */ /* Server Extension processing */
int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#endif #endif
int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidxl);
#endif #endif
int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#ifndef OPENSSL_NO_OCSP #ifndef OPENSSL_NO_OCSP
int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
#endif #endif
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#endif #endif
int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#ifndef OPENSSL_NO_SRTP #ifndef OPENSSL_NO_SRTP
int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#endif #endif
int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#endif #endif
EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#ifndef OPENSSL_NO_OCSP #ifndef OPENSSL_NO_OCSP
EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#endif #endif
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#endif #endif
EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
#ifndef OPENSSL_NO_SRTP #ifndef OPENSSL_NO_SRTP
EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
#endif #endif
EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
/* /*
* Not in public headers as this is not an official extension. Only used when * Not in public headers as this is not an official extension. Only used when
* SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set.
...@@ -283,118 +281,118 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, ...@@ -283,118 +281,118 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
#define TLSEXT_TYPE_cryptopro_bug 0xfde8 #define TLSEXT_TYPE_cryptopro_bug 0xfde8
EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
/* Client Extension processing */ /* Client Extension processing */
EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#endif #endif
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#endif #endif
EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#ifndef OPENSSL_NO_OCSP #ifndef OPENSSL_NO_OCSP
EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#endif #endif
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
#endif #endif
EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
#ifndef OPENSSL_NO_SRTP #ifndef OPENSSL_NO_SRTP
EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
#endif #endif
EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
#ifndef OPENSSL_NO_CT #ifndef OPENSSL_NO_CT
EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
#endif #endif
EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt, EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
#endif #endif
int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
#ifndef OPENSSL_NO_OCSP #ifndef OPENSSL_NO_OCSP
int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context, int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx, int *al); X509 *x, size_t chainidx);
#endif #endif
#ifndef OPENSSL_NO_CT #ifndef OPENSSL_NO_CT
int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#endif #endif
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#endif #endif
int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#ifndef OPENSSL_NO_SRTP #ifndef OPENSSL_NO_SRTP
int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
#endif #endif
int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al); size_t chainidx);
int tls_handle_alpn(SSL *s, int *al); int tls_handle_alpn(SSL *s);
ssl/statem/statem_srvr.c
浏览文件 @ f63a17d6
...@@ -271,8 +271,9 @@ int ossl_statem_server_read_transition(SSL *s, int mt) ...@@ -271,8 +271,9 @@ int ossl_statem_server_read_transition(SSL *s, int mt)
err: err:
/* No valid transition found */ /* No valid transition found */
ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE); SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE,
SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE); SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
SSL_R_UNEXPECTED_MESSAGE);
return 0; return 0;
} }
...@@ -488,7 +489,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) ...@@ -488,7 +489,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
} }
/* Must be an incoming ClientHello */ /* Must be an incoming ClientHello */
if (!tls_setup_handshake(s)) { if (!tls_setup_handshake(s)) {
ossl_statem_set_error(s); /* SSLfatal() already called */
return WRITE_TRAN_ERROR; return WRITE_TRAN_ERROR;
} }
/* Fall through */ /* Fall through */
...@@ -655,7 +656,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) ...@@ -655,7 +656,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
case TLS_ST_SW_CHANGE: case TLS_ST_SW_CHANGE:
s->session->cipher = s->s3->tmp.new_cipher; s->session->cipher = s->s3->tmp.new_cipher;
if (!s->method->ssl3_enc->setup_key_block(s)) { if (!s->method->ssl3_enc->setup_key_block(s)) {
ossl_statem_set_error(s); /* SSLfatal() already called */
return WORK_ERROR; return WORK_ERROR;
} }
if (SSL_IS_DTLS(s)) { if (SSL_IS_DTLS(s)) {
...@@ -705,7 +706,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) ...@@ -705,7 +706,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
if (statem_flush(s) != 1) if (statem_flush(s) != 1)
return WORK_MORE_A; return WORK_MORE_A;
if (!ssl3_init_finished_mac(s)) { if (!ssl3_init_finished_mac(s)) {
ossl_statem_set_error(s); /* SSLfatal() already called */
return WORK_ERROR; return WORK_ERROR;
} }
break; break;
...@@ -715,7 +716,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) ...@@ -715,7 +716,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
return WORK_MORE_A; return WORK_MORE_A;
/* HelloVerifyRequest resets Finished MAC */ /* HelloVerifyRequest resets Finished MAC */
if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) { if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
ossl_statem_set_error(s); /* SSLfatal() already called */
return WORK_ERROR; return WORK_ERROR;
} }
/* /*
...@@ -783,7 +784,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) ...@@ -783,7 +784,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
if (!s->method->ssl3_enc->change_cipher_state(s, if (!s->method->ssl3_enc->change_cipher_state(s,
SSL3_CHANGE_CIPHER_SERVER_WRITE)) SSL3_CHANGE_CIPHER_SERVER_WRITE))
{ {
ossl_statem_set_error(s); /* SSLfatal() already called */
return WORK_ERROR; return WORK_ERROR;
} }
...@@ -815,6 +816,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) ...@@ -815,6 +816,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
&s->session->master_key_length) &s->session->master_key_length)
|| !s->method->ssl3_enc->change_cipher_state(s, || !s->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE)) SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
/* SSLfatal() already called */
return WORK_ERROR; return WORK_ERROR;
} }
break; break;
...@@ -851,6 +853,9 @@ int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, ...@@ -851,6 +853,9 @@ int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
switch (st->hand_state) { switch (st->hand_state) {
default: default:
/* Shouldn't happen */ /* Shouldn't happen */
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE,
SSL_R_BAD_HANDSHAKE_STATE);
return 0; return 0;
case TLS_ST_SW_CHANGE: case TLS_ST_SW_CHANGE:
...@@ -1114,7 +1119,7 @@ int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) ...@@ -1114,7 +1119,7 @@ int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
s->ctx->app_gen_cookie_cb(s, s->d1->cookie, s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
&cookie_leni) == 0 || &cookie_leni) == 0 ||
cookie_leni > 255) { cookie_leni > 255) {
SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
SSL_R_COOKIE_GEN_CALLBACK_FAILURE); SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
return 0; return 0;
} }
...@@ -1122,7 +1127,8 @@ int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) ...@@ -1122,7 +1127,8 @@ int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie, if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
s->d1->cookie_len)) { s->d1->cookie_len)) {
SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -1195,7 +1201,6 @@ static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello) ...@@ -1195,7 +1201,6 @@ static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello)
MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
{ {
int al = SSL_AD_INTERNAL_ERROR;
/* |cookie| will only be initialized for DTLS. */ /* |cookie| will only be initialized for DTLS. */
PACKET session_id, compression, extensions, cookie; PACKET session_id, compression, extensions, cookie;
static const unsigned char null_compression = 0; static const unsigned char null_compression = 0;
...@@ -1203,7 +1208,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1203,7 +1208,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
clienthello = OPENSSL_zalloc(sizeof(*clienthello)); clienthello = OPENSSL_zalloc(sizeof(*clienthello));
if (clienthello == NULL) { if (clienthello == NULL) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
/* Check if this is actually an unexpected renegotiation ClientHello */ /* Check if this is actually an unexpected renegotiation ClientHello */
...@@ -1226,9 +1232,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1226,9 +1232,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
unsigned int mt; unsigned int mt;
if (!SSL_IS_FIRST_HANDSHAKE(s) || s->hello_retry_request) { if (!SSL_IS_FIRST_HANDSHAKE(s) || s->hello_retry_request) {
al = SSL_AD_UNEXPECTED_MESSAGE; SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE); SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE);
goto f_err; goto err;
} }
/*- /*-
...@@ -1253,14 +1259,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1253,14 +1259,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
* layer in order to have determined that this is a SSLv2 record * layer in order to have determined that this is a SSLv2 record
* in the first place * in the first place
*/ */
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
} }
if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) { if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); SSL_R_LENGTH_TOO_SHORT);
goto err; goto err;
} }
...@@ -1277,16 +1284,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1277,16 +1284,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
if (!PACKET_get_net_2(pkt, &ciphersuite_len) if (!PACKET_get_net_2(pkt, &ciphersuite_len)
|| !PACKET_get_net_2(pkt, &session_id_len) || !PACKET_get_net_2(pkt, &session_id_len)
|| !PACKET_get_net_2(pkt, &challenge_len)) { || !PACKET_get_net_2(pkt, &challenge_len)) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSL_R_RECORD_LENGTH_MISMATCH); SSL_R_RECORD_LENGTH_MISMATCH);
al = SSL_AD_DECODE_ERROR; goto err;
goto f_err;
} }
if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) { if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites, if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites,
...@@ -1295,10 +1301,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1295,10 +1301,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
|| !PACKET_get_sub_packet(pkt, &challenge, challenge_len) || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
/* No extensions. */ /* No extensions. */
|| PACKET_remaining(pkt) != 0) { || PACKET_remaining(pkt) != 0) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSL_R_RECORD_LENGTH_MISMATCH); SSL_R_RECORD_LENGTH_MISMATCH);
al = SSL_AD_DECODE_ERROR; goto err;
goto f_err;
} }
clienthello->session_id_len = session_id_len; clienthello->session_id_len = session_id_len;
...@@ -1315,9 +1320,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1315,9 +1320,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
challenge_len, challenge_len) challenge_len, challenge_len)
/* Advertise only null compression. */ /* Advertise only null compression. */
|| !PACKET_buf_init(&compression, &null_compression, 1)) { || !PACKET_buf_init(&compression, &null_compression, 1)) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
al = SSL_AD_INTERNAL_ERROR; ERR_R_INTERNAL_ERROR);
goto f_err; goto err;
} }
PACKET_null_init(&clienthello->extensions); PACKET_null_init(&clienthello->extensions);
...@@ -1328,23 +1333,23 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1328,23 +1333,23 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
|| !PACKET_copy_all(&session_id, clienthello->session_id, || !PACKET_copy_all(&session_id, clienthello->session_id,
SSL_MAX_SSL_SESSION_ID_LENGTH, SSL_MAX_SSL_SESSION_ID_LENGTH,
&clienthello->session_id_len)) { &clienthello->session_id_len)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
if (SSL_IS_DTLS(s)) { if (SSL_IS_DTLS(s)) {
if (!PACKET_get_length_prefixed_1(pkt, &cookie)) { if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie, if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
DTLS1_COOKIE_LENGTH, DTLS1_COOKIE_LENGTH,
&clienthello->dtls_cookie_len)) { &clienthello->dtls_cookie_len)) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto f_err; goto err;
} }
/* /*
* If we require cookies and this ClientHello doesn't contain one, * If we require cookies and this ClientHello doesn't contain one,
...@@ -1358,15 +1363,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1358,15 +1363,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
} }
if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) { if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
if (!PACKET_get_length_prefixed_1(pkt, &compression)) { if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
/* Could be empty. */ /* Could be empty. */
...@@ -1375,9 +1380,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1375,9 +1380,9 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
} else { } else {
if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions) if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)
|| PACKET_remaining(pkt) != 0) { || PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
} }
} }
...@@ -1385,27 +1390,24 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1385,27 +1390,24 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
if (!PACKET_copy_all(&compression, clienthello->compressions, if (!PACKET_copy_all(&compression, clienthello->compressions,
MAX_COMPRESSIONS_SIZE, MAX_COMPRESSIONS_SIZE,
&clienthello->compressions_len)) { &clienthello->compressions_len)) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; goto err;
} }
/* Preserve the raw extensions PACKET for later use */ /* Preserve the raw extensions PACKET for later use */
extensions = clienthello->extensions; extensions = clienthello->extensions;
if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO, if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO,
&clienthello->pre_proc_exts, &al, &clienthello->pre_proc_exts,
&clienthello->pre_proc_exts_len, 1)) { &clienthello->pre_proc_exts_len, 1)) {
/* SSLerr already been called */ /* SSLfatal already been called */
goto f_err; goto err;
} }
s->clienthello = clienthello; s->clienthello = clienthello;
return MSG_PROCESS_CONTINUE_PROCESSING; return MSG_PROCESS_CONTINUE_PROCESSING;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
err:
ossl_statem_set_error(s);
err:
if (clienthello != NULL) if (clienthello != NULL)
OPENSSL_free(clienthello->pre_proc_exts); OPENSSL_free(clienthello->pre_proc_exts);
OPENSSL_free(clienthello); OPENSSL_free(clienthello);
...@@ -1413,7 +1415,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) ...@@ -1413,7 +1415,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
return MSG_PROCESS_ERROR; return MSG_PROCESS_ERROR;
} }
static int tls_early_post_process_client_hello(SSL *s, int *pal) static int tls_early_post_process_client_hello(SSL *s)
{ {
unsigned int j; unsigned int j;
int i, al = SSL_AD_INTERNAL_ERROR; int i, al = SSL_AD_INTERNAL_ERROR;
...@@ -1441,6 +1443,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1441,6 +1443,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
return -1; return -1;
case SSL_CLIENT_HELLO_ERROR: case SSL_CLIENT_HELLO_ERROR:
default: default:
SSLfatal(s, al,
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_CALLBACK_FAILED);
goto err; goto err;
} }
} }
...@@ -1455,10 +1460,12 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1455,10 +1460,12 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
|| (clienthello->legacy_version & 0xff00) || (clienthello->legacy_version & 0xff00)
!= (SSL3_VERSION_MAJOR << 8)) { != (SSL3_VERSION_MAJOR << 8)) {
/* /*
* This is real SSLv2 or something complete unknown. We don't * This is real SSLv2 or something completely unknown. We don't
* support it. * support it.
*/ */
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL); SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_UNKNOWN_PROTOCOL);
goto err; goto err;
} }
/* SSLv3/TLS */ /* SSLv3/TLS */
...@@ -1478,19 +1485,19 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1478,19 +1485,19 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
} }
if (protverr) { if (protverr) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
if (SSL_IS_FIRST_HANDSHAKE(s)) { if (SSL_IS_FIRST_HANDSHAKE(s)) {
/* like ssl3_get_record, send alert using remote version number */ /* like ssl3_get_record, send alert using remote version number */
s->version = s->client_version = clienthello->legacy_version; s->version = s->client_version = clienthello->legacy_version;
} }
al = SSL_AD_PROTOCOL_VERSION; SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
goto err; goto err;
} }
/* TLSv1.3 specifies that a ClientHello must end on a record boundary */ /* TLSv1.3 specifies that a ClientHello must end on a record boundary */
if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
al = SSL_AD_UNEXPECTED_MESSAGE; SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_NOT_ON_RECORD_BOUNDARY); SSL_R_NOT_ON_RECORD_BOUNDARY);
goto err; goto err;
} }
...@@ -1501,8 +1508,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1501,8 +1508,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
if (s->ctx->app_verify_cookie_cb != NULL) { if (s->ctx->app_verify_cookie_cb != NULL) {
if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie, if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie,
clienthello->dtls_cookie_len) == 0) { clienthello->dtls_cookie_len) == 0) {
al = SSL_AD_HANDSHAKE_FAILURE; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_COOKIE_MISMATCH); SSL_R_COOKIE_MISMATCH);
goto err; goto err;
/* else cookie verification succeeded */ /* else cookie verification succeeded */
...@@ -1511,8 +1518,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1511,8 +1518,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
} else if (s->d1->cookie_len != clienthello->dtls_cookie_len } else if (s->d1->cookie_len != clienthello->dtls_cookie_len
|| memcmp(clienthello->dtls_cookie, s->d1->cookie, || memcmp(clienthello->dtls_cookie, s->d1->cookie,
s->d1->cookie_len) != 0) { s->d1->cookie_len) != 0) {
al = SSL_AD_HANDSHAKE_FAILURE; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_COOKIE_MISMATCH);
goto err; goto err;
} }
s->d1->cookie_verified = 1; s->d1->cookie_verified = 1;
...@@ -1520,9 +1528,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1520,9 +1528,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
if (s->method->version == DTLS_ANY_VERSION) { if (s->method->version == DTLS_ANY_VERSION) {
protverr = ssl_choose_server_version(s, clienthello, &dgrd); protverr = ssl_choose_server_version(s, clienthello, &dgrd);
if (protverr != 0) { if (protverr != 0) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
s->version = s->client_version; s->version = s->client_version;
al = SSL_AD_PROTOCOL_VERSION; SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
goto err; goto err;
} }
} }
...@@ -1531,9 +1539,10 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1531,9 +1539,10 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
s->hit = 0; s->hit = 0;
if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites, if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
clienthello->isv2, &al) || clienthello->isv2) ||
!bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs, !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs,
clienthello->isv2, &al)) { clienthello->isv2, 1)) {
/* SSLfatal() already called */
goto err; goto err;
} }
...@@ -1545,9 +1554,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1545,9 +1554,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) { if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) {
if (s->renegotiate) { if (s->renegotiate) {
/* SCSV is fatal if renegotiating */ /* SCSV is fatal if renegotiating */
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
al = SSL_AD_HANDSHAKE_FAILURE;
goto err; goto err;
} }
s->s3->send_connection_binding = 1; s->s3->send_connection_binding = 1;
...@@ -1560,9 +1569,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1560,9 +1569,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
* connection may have been tampered with in order to trigger * connection may have been tampered with in order to trigger
* an insecure downgrade. * an insecure downgrade.
*/ */
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK,
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_INAPPROPRIATE_FALLBACK); SSL_R_INAPPROPRIATE_FALLBACK);
al = SSL_AD_INAPPROPRIATE_FALLBACK;
goto err; goto err;
} }
} }
...@@ -1574,9 +1583,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1574,9 +1583,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
if (cipher == NULL) { if (cipher == NULL) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_NO_SHARED_CIPHER); SSL_R_NO_SHARED_CIPHER);
al = SSL_AD_HANDSHAKE_FAILURE;
goto err; goto err;
} }
if (s->hello_retry_request if (s->hello_retry_request
...@@ -1586,8 +1595,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1586,8 +1595,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
* A previous HRR picked a different ciphersuite to the one we * A previous HRR picked a different ciphersuite to the one we
* just selected. Something must have changed. * just selected. Something must have changed.
*/ */
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_BAD_CIPHER); SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_BAD_CIPHER);
goto err; goto err;
} }
s->s3->tmp.new_cipher = cipher; s->s3->tmp.new_cipher = cipher;
...@@ -1596,8 +1606,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1596,8 +1606,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
/* We need to do this before getting the session */ /* We need to do this before getting the session */
if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret, if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
SSL_EXT_CLIENT_HELLO, SSL_EXT_CLIENT_HELLO,
clienthello->pre_proc_exts, NULL, 0, &al)) { clienthello->pre_proc_exts, NULL, 0)) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); /* SSLfatal() already called */
goto err; goto err;
} }
...@@ -1620,21 +1630,26 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1620,21 +1630,26 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
if (clienthello->isv2 || if (clienthello->isv2 ||
(s->new_session && (s->new_session &&
(s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
if (!ssl_get_new_session(s, 1)) if (!ssl_get_new_session(s, 1)) {
/* SSLfatal() already called */
goto err; goto err;
}
} else { } else {
i = ssl_get_prev_session(s, clienthello, &al); i = ssl_get_prev_session(s, clienthello);
if (i == 1) { if (i == 1) {
/* previous session */ /* previous session */
s->hit = 1; s->hit = 1;
} else if (i == -1) { } else if (i == -1) {
/* SSLfatal() already called */
goto err; goto err;
} else { } else {
/* i == 0 */ /* i == 0 */
if (!ssl_get_new_session(s, 1)) if (!ssl_get_new_session(s, 1)) {
/* SSLfatal() already called */
goto err; goto err;
} }
} }
}
/* /*
* If it is a hit, check that the cipher is in the list. In TLSv1.3 we check * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check
...@@ -1663,8 +1678,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1663,8 +1678,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
* we need to have the cipher in the cipher list if we are asked * we need to have the cipher in the cipher list if we are asked
* to reuse it * to reuse it
*/ */
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_REQUIRED_CIPHER_MISSING); SSL_R_REQUIRED_CIPHER_MISSING);
goto err; goto err;
} }
...@@ -1677,8 +1692,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1677,8 +1692,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
if (loop >= clienthello->compressions_len) { if (loop >= clienthello->compressions_len) {
/* no compress */ /* no compress */
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED); SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_NO_COMPRESSION_SPECIFIED);
goto err; goto err;
} }
...@@ -1689,8 +1705,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1689,8 +1705,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
/* TLS extensions */ /* TLS extensions */
if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO, if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO,
clienthello->pre_proc_exts, NULL, 0, &al, 1)) { clienthello->pre_proc_exts, NULL, 0, 1)) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); /* SSLfatal() already called */
goto err; goto err;
} }
...@@ -1704,6 +1720,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1704,6 +1720,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
unsigned char *pos; unsigned char *pos;
pos = s->s3->server_random; pos = s->s3->server_random;
if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) { if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
} }
...@@ -1738,8 +1757,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1738,8 +1757,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
pref_cipher = ssl3_choose_cipher(s, s->session->ciphers, pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
SSL_get_ciphers(s)); SSL_get_ciphers(s));
if (pref_cipher == NULL) { if (pref_cipher == NULL) {
al = SSL_AD_HANDSHAKE_FAILURE; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER); SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_NO_SHARED_CIPHER);
goto err; goto err;
} }
...@@ -1764,8 +1784,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1764,8 +1784,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
* a TLSv1.3 ClientHello. * a TLSv1.3 ClientHello.
*/ */
if (clienthello->compressions_len != 1) { if (clienthello->compressions_len != 1) {
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_INVALID_COMPRESSION_ALGORITHM); SSL_R_INVALID_COMPRESSION_ALGORITHM);
goto err; goto err;
} }
...@@ -1778,7 +1798,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1778,7 +1798,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
/* Perform sanity checks on resumed compression algorithm */ /* Perform sanity checks on resumed compression algorithm */
/* Can't disable compression */ /* Can't disable compression */
if (!ssl_allow_compression(s)) { if (!ssl_allow_compression(s)) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_INCONSISTENT_COMPRESSION); SSL_R_INCONSISTENT_COMPRESSION);
goto err; goto err;
} }
...@@ -1791,7 +1812,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1791,7 +1812,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
} }
} }
if (s->s3->tmp.new_compression == NULL) { if (s->s3->tmp.new_compression == NULL) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_INVALID_COMPRESSION_ALGORITHM); SSL_R_INVALID_COMPRESSION_ALGORITHM);
goto err; goto err;
} }
...@@ -1801,8 +1823,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1801,8 +1823,8 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
break; break;
} }
if (k >= clienthello->compressions_len) { if (k >= clienthello->compressions_len) {
al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
goto err; goto err;
} }
...@@ -1837,7 +1859,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1837,7 +1859,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
* using compression. * using compression.
*/ */
if (s->session->compress_meth != 0) { if (s->session->compress_meth != 0) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION); SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
SSL_R_INCONSISTENT_COMPRESSION);
goto err; goto err;
} }
#endif #endif
...@@ -1850,8 +1874,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1850,8 +1874,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
sk_SSL_CIPHER_free(s->session->ciphers); sk_SSL_CIPHER_free(s->session->ciphers);
s->session->ciphers = ciphers; s->session->ciphers = ciphers;
if (ciphers == NULL) { if (ciphers == NULL) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
ciphers = NULL; ciphers = NULL;
...@@ -1864,7 +1889,7 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1864,7 +1889,7 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
s->session->compress_meth = (comp == NULL) ? 0 : comp->id; s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
#endif #endif
if (!tls1_set_server_sigalgs(s)) { if (!tls1_set_server_sigalgs(s)) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); /* SSLfatal() already called */
goto err; goto err;
} }
} }
...@@ -1876,9 +1901,6 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1876,9 +1901,6 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
s->clienthello = NULL; s->clienthello = NULL;
return 1; return 1;
err: err:
ossl_statem_set_error(s);
*pal = al;
sk_SSL_CIPHER_free(ciphers); sk_SSL_CIPHER_free(ciphers);
sk_SSL_CIPHER_free(scsvs); sk_SSL_CIPHER_free(scsvs);
OPENSSL_free(clienthello->pre_proc_exts); OPENSSL_free(clienthello->pre_proc_exts);
...@@ -1890,9 +1912,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) ...@@ -1890,9 +1912,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
/* /*
* Call the status request callback if needed. Upon success, returns 1. * Call the status request callback if needed. Upon success, returns 1.
* Upon failure, returns 0 and sets |*al| to the appropriate fatal alert. * Upon failure, returns 0.
*/ */
static int tls_handle_status_request(SSL *s, int *al) static int tls_handle_status_request(SSL *s)
{ {
s->ext.status_expected = 0; s->ext.status_expected = 0;
...@@ -1927,7 +1949,9 @@ static int tls_handle_status_request(SSL *s, int *al) ...@@ -1927,7 +1949,9 @@ static int tls_handle_status_request(SSL *s, int *al)
/* something bad happened */ /* something bad happened */
case SSL_TLSEXT_ERR_ALERT_FATAL: case SSL_TLSEXT_ERR_ALERT_FATAL:
default: default:
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_HANDLE_STATUS_REQUEST,
SSL_R_CLIENTHELLO_TLSEXT);
return 0; return 0;
} }
} }
...@@ -1940,7 +1964,7 @@ static int tls_handle_status_request(SSL *s, int *al) ...@@ -1940,7 +1964,7 @@ static int tls_handle_status_request(SSL *s, int *al)
* Call the alpn_select callback if needed. Upon success, returns 1. * Call the alpn_select callback if needed. Upon success, returns 1.
* Upon failure, returns 0 and sets |*al| to the appropriate fatal alert. * Upon failure, returns 0 and sets |*al| to the appropriate fatal alert.
*/ */
int tls_handle_alpn(SSL *s, int *al) int tls_handle_alpn(SSL *s)
{ {
const unsigned char *selected = NULL; const unsigned char *selected = NULL;
unsigned char selected_len = 0; unsigned char selected_len = 0;
...@@ -1955,7 +1979,8 @@ int tls_handle_alpn(SSL *s, int *al) ...@@ -1955,7 +1979,8 @@ int tls_handle_alpn(SSL *s, int *al)
OPENSSL_free(s->s3->alpn_selected); OPENSSL_free(s->s3->alpn_selected);
s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len); s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
if (s->s3->alpn_selected == NULL) { if (s->s3->alpn_selected == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
s->s3->alpn_selected_len = selected_len; s->s3->alpn_selected_len = selected_len;
...@@ -1977,7 +2002,9 @@ int tls_handle_alpn(SSL *s, int *al) ...@@ -1977,7 +2002,9 @@ int tls_handle_alpn(SSL *s, int *al)
s->session->ext.alpn_selected = OPENSSL_memdup(selected, s->session->ext.alpn_selected = OPENSSL_memdup(selected,
selected_len); selected_len);
if (s->session->ext.alpn_selected == NULL) { if (s->session->ext.alpn_selected == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_HANDLE_ALPN,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
s->session->ext.alpn_selected_len = selected_len; s->session->ext.alpn_selected_len = selected_len;
...@@ -1986,7 +2013,8 @@ int tls_handle_alpn(SSL *s, int *al) ...@@ -1986,7 +2013,8 @@ int tls_handle_alpn(SSL *s, int *al)
return 1; return 1;
} else if (r != SSL_TLSEXT_ERR_NOACK) { } else if (r != SSL_TLSEXT_ERR_NOACK) {
*al = SSL_AD_NO_APPLICATION_PROTOCOL; SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL, SSL_F_TLS_HANDLE_ALPN,
SSL_R_NO_APPLICATION_PROTOCOL);
return 0; return 0;
} }
/* /*
...@@ -2010,10 +2038,10 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) ...@@ -2010,10 +2038,10 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
const SSL_CIPHER *cipher; const SSL_CIPHER *cipher;
if (wst == WORK_MORE_A) { if (wst == WORK_MORE_A) {
int rv = tls_early_post_process_client_hello(s, &al); int rv = tls_early_post_process_client_hello(s);
if (rv == 0) { if (rv == 0) {
/* SSLErr() was already called */ /* SSLfatal() was already called */
goto f_err; goto err;
} }
if (rv < 0) if (rv < 0)
return WORK_MORE_A; return WORK_MORE_A;
...@@ -2025,10 +2053,10 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) ...@@ -2025,10 +2053,10 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
if (!s->hit && s->cert->cert_cb != NULL) { if (!s->hit && s->cert->cert_cb != NULL) {
int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg); int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
if (rv == 0) { if (rv == 0) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
SSL_R_CERT_CB_ERROR); SSL_R_CERT_CB_ERROR);
goto f_err; goto err;
} }
if (rv < 0) { if (rv < 0) {
s->rwstate = SSL_X509_LOOKUP; s->rwstate = SSL_X509_LOOKUP;
...@@ -2043,15 +2071,18 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) ...@@ -2043,15 +2071,18 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
if (cipher == NULL) { if (cipher == NULL) {
SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
SSL_R_NO_SHARED_CIPHER); SSL_R_NO_SHARED_CIPHER);
goto f_err; goto err;
} }
s->s3->tmp.new_cipher = cipher; s->s3->tmp.new_cipher = cipher;
} }
if (!s->hit) { if (!s->hit) {
if (!tls_choose_sigalg(s, &al)) if (!tls_choose_sigalg(s, 1)) {
goto f_err; /* SSLfatal already called */
goto err;
}
/* check whether we should disable session resumption */ /* check whether we should disable session resumption */
if (s->not_resumable_session_cb != NULL) if (s->not_resumable_session_cb != NULL)
s->session->not_resumable = s->session->not_resumable =
...@@ -2083,10 +2114,9 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) ...@@ -2083,10 +2114,9 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
* Call status_request callback if needed. Has to be done after the * Call status_request callback if needed. Has to be done after the
* certificate callbacks etc above. * certificate callbacks etc above.
*/ */
if (!tls_handle_status_request(s, &al)) { if (!tls_handle_status_request(s)) {
SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, /* SSLfatal() already called */
SSL_R_CLIENTHELLO_TLSEXT); goto err;
goto f_err;
} }
/* /*
* Call alpn_select callback if needed. Has to be done after SNI and * Call alpn_select callback if needed. Has to be done after SNI and
...@@ -2094,10 +2124,9 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) ...@@ -2094,10 +2124,9 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
* we already did this because cipher negotiation happens earlier, and * we already did this because cipher negotiation happens earlier, and
* we must handle ALPN before we decide whether to accept early_data. * we must handle ALPN before we decide whether to accept early_data.
*/ */
if (!SSL_IS_TLS13(s) && !tls_handle_alpn(s, &al)) { if (!SSL_IS_TLS13(s) && !tls_handle_alpn(s)) {
SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, /* SSLfatal() already called */
SSL_R_CLIENTHELLO_TLSEXT); goto err;
goto f_err;
} }
wst = WORK_MORE_C; wst = WORK_MORE_C;
...@@ -2118,26 +2147,24 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) ...@@ -2118,26 +2147,24 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
* a client to detect whether srp is supported. * a client to detect whether srp is supported.
*/ */
if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY) if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSLfatal(s, al, SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
SSL_R_CLIENTHELLO_TLSEXT); SSL_R_CLIENTHELLO_TLSEXT);
else else
SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSLfatal(s, al, SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
SSL_R_PSK_IDENTITY_NOT_FOUND); SSL_R_PSK_IDENTITY_NOT_FOUND);
goto f_err; goto err;
} }
} }
#endif #endif
return WORK_FINISHED_STOP; return WORK_FINISHED_STOP;
f_err: err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
return WORK_ERROR; return WORK_ERROR;
} }
int tls_construct_server_hello(SSL *s, WPACKET *pkt) int tls_construct_server_hello(SSL *s, WPACKET *pkt)
{ {
int compm, al = SSL_AD_INTERNAL_ERROR; int compm;
size_t sl, len; size_t sl, len;
int version; int version;
...@@ -2149,8 +2176,9 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) ...@@ -2149,8 +2176,9 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
* tls_process_client_hello() * tls_process_client_hello()
*/ */
|| !WPACKET_memcpy(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { || !WPACKET_memcpy(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
goto err; ERR_R_INTERNAL_ERROR);
return 0;
} }
/*- /*-
...@@ -2176,8 +2204,9 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) ...@@ -2176,8 +2204,9 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
sl = s->session->session_id_length; sl = s->session->session_id_length;
if (sl > sizeof(s->session->session_id)) { if (sl > sizeof(s->session->session_id)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
goto err; ERR_R_INTERNAL_ERROR);
return 0;
} }
/* set up the compression method */ /* set up the compression method */
...@@ -2199,28 +2228,25 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) ...@@ -2199,28 +2228,25 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
SSL_IS_TLS13(s) SSL_IS_TLS13(s)
? SSL_EXT_TLS1_3_SERVER_HELLO ? SSL_EXT_TLS1_3_SERVER_HELLO
: SSL_EXT_TLS1_2_SERVER_HELLO, : SSL_EXT_TLS1_2_SERVER_HELLO,
NULL, 0, &al)) { NULL, 0)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
goto err; return 0;
} }
if (!(s->verify_mode & SSL_VERIFY_PEER) if (!(s->verify_mode & SSL_VERIFY_PEER)
&& !ssl3_digest_cached_records(s, 0)) { && !ssl3_digest_cached_records(s, 0)) {
al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */;
goto err; return 0;
} }
return 1; return 1;
err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
return 0;
} }
int tls_construct_server_done(SSL *s, WPACKET *pkt) int tls_construct_server_done(SSL *s, WPACKET *pkt)
{ {
if (!s->s3->tmp.cert_request) { if (!s->s3->tmp.cert_request) {
if (!ssl3_digest_cached_records(s, 0)) { if (!ssl3_digest_cached_records(s, 0)) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); /* SSLfatal() already called */
return 0; return 0;
} }
} }
...@@ -2238,7 +2264,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2238,7 +2264,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
int curve_id = 0; int curve_id = 0;
#endif #endif
const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg; const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
int al = SSL_AD_INTERNAL_ERROR, i; int i;
unsigned long type; unsigned long type;
const BIGNUM *r[4]; const BIGNUM *r[4];
EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
...@@ -2246,13 +2272,15 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2246,13 +2272,15 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
size_t paramlen, paramoffset; size_t paramlen, paramoffset;
if (!WPACKET_get_total_written(pkt, &paramoffset)) { if (!WPACKET_get_total_written(pkt, &paramoffset)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
goto f_err; SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto err;
} }
if (md_ctx == NULL) { if (md_ctx == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
goto f_err; SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
goto err;
} }
type = s->s3->tmp.new_cipher->algorithm_mkey; type = s->s3->tmp.new_cipher->algorithm_mkey;
...@@ -2275,9 +2303,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2275,9 +2303,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
pkdh = EVP_PKEY_new(); pkdh = EVP_PKEY_new();
if (pkdh == NULL || dhp == NULL) { if (pkdh == NULL || dhp == NULL) {
DH_free(dhp); DH_free(dhp);
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; goto err;
} }
EVP_PKEY_assign_DH(pkdh, dhp); EVP_PKEY_assign_DH(pkdh, dhp);
pkdhp = pkdh; pkdhp = pkdh;
...@@ -2288,35 +2317,36 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2288,35 +2317,36 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024); DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
pkdh = ssl_dh_to_pkey(dhp); pkdh = ssl_dh_to_pkey(dhp);
if (pkdh == NULL) { if (pkdh == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; goto err;
} }
pkdhp = pkdh; pkdhp = pkdh;
} }
if (pkdhp == NULL) { if (pkdhp == NULL) {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
SSL_R_MISSING_TMP_DH_KEY); SSL_R_MISSING_TMP_DH_KEY);
goto f_err; goto err;
} }
if (!ssl_security(s, SSL_SECOP_TMP_DH, if (!ssl_security(s, SSL_SECOP_TMP_DH,
EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) { EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) {
al = SSL_AD_HANDSHAKE_FAILURE; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
SSL_R_DH_KEY_TOO_SMALL); SSL_R_DH_KEY_TOO_SMALL);
goto f_err; goto err;
} }
if (s->s3->tmp.pkey != NULL) { if (s->s3->tmp.pkey != NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
s->s3->tmp.pkey = ssl_generate_pkey(pkdhp); s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
if (s->s3->tmp.pkey == NULL) { if (s->s3->tmp.pkey == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB); /* SSLfatal() already called */
goto err; goto err;
} }
...@@ -2333,7 +2363,8 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2333,7 +2363,8 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
if (s->s3->tmp.pkey != NULL) { if (s->s3->tmp.pkey != NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
...@@ -2341,22 +2372,24 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2341,22 +2372,24 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
/* Get NID of appropriate shared curve */ /* Get NID of appropriate shared curve */
curve_id = tls1_shared_group(s, -2); curve_id = tls1_shared_group(s, -2);
if (curve_id == 0) { if (curve_id == 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
goto err; goto err;
} }
s->s3->tmp.pkey = ssl_generate_pkey_group(curve_id); s->s3->tmp.pkey = ssl_generate_pkey_group(s, curve_id);
/* Generate a new key for this curve */ /* Generate a new key for this curve */
if (s->s3->tmp.pkey == NULL) { if (s->s3->tmp.pkey == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB); /* SSLfatal() already called */
goto f_err; goto err;
} }
/* Encode the public key. */ /* Encode the public key. */
encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey, encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey,
&encodedPoint); &encodedPoint);
if (encodedlen == 0) { if (encodedlen == 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
goto err; goto err;
} }
...@@ -2375,7 +2408,8 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2375,7 +2408,8 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
if ((s->srp_ctx.N == NULL) || if ((s->srp_ctx.N == NULL) ||
(s->srp_ctx.g == NULL) || (s->srp_ctx.g == NULL) ||
(s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) { (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
SSL_R_MISSING_SRP_PARAM); SSL_R_MISSING_SRP_PARAM);
goto err; goto err;
} }
...@@ -2386,18 +2420,19 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2386,18 +2420,19 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
} else } else
#endif #endif
{ {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
goto f_err; goto err;
} }
if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0) if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
|| ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) { || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
lu = NULL; lu = NULL;
} else if (lu == NULL) { } else if (lu == NULL) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
goto f_err; SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto err;
} }
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
...@@ -2412,9 +2447,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2412,9 +2447,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
if (len > PSK_MAX_IDENTITY_LEN if (len > PSK_MAX_IDENTITY_LEN
|| !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint, || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
len)) { len)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; goto err;
} }
} }
#endif #endif
...@@ -2431,9 +2467,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2431,9 +2467,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
res = WPACKET_start_sub_packet_u16(pkt); res = WPACKET_start_sub_packet_u16(pkt);
if (!res) { if (!res) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; goto err;
} }
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH
...@@ -2447,9 +2484,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2447,9 +2484,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
if (len > 0) { if (len > 0) {
if (!WPACKET_allocate_bytes(pkt, len, &binval)) { if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; goto err;
} }
memset(binval, 0, len); memset(binval, 0, len);
} }
...@@ -2457,9 +2495,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2457,9 +2495,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
#endif #endif
if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval) if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; goto err;
} }
BN_bn2bin(r[i], binval); BN_bn2bin(r[i], binval);
...@@ -2477,9 +2516,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2477,9 +2516,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
|| !WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_put_bytes_u8(pkt, 0)
|| !WPACKET_put_bytes_u8(pkt, curve_id) || !WPACKET_put_bytes_u8(pkt, curve_id)
|| !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) { || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; goto err;
} }
OPENSSL_free(encodedPoint); OPENSSL_free(encodedPoint);
encodedPoint = NULL; encodedPoint = NULL;
...@@ -2496,10 +2536,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2496,10 +2536,10 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
if (pkey == NULL || !tls1_lookup_md(lu, &md)) { if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
/* Should never happen */ /* Should never happen */
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; goto err;
} }
/* /*
* n is the length of the params, they start at &(d[4]) and p * n is the length of the params, they start at &(d[4]) and p
...@@ -2508,13 +2548,18 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2508,13 +2548,18 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
/* Get length of the parameters we have written above */ /* Get length of the parameters we have written above */
if (!WPACKET_get_length(pkt, &paramlen)) { if (!WPACKET_get_length(pkt, &paramlen)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; goto err;
} }
/* send signature algorithm */ /* send signature algorithm */
if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
return 0; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto err;
}
/* /*
* Create the signature. We don't know the actual length of the sig * Create the signature. We don't know the actual length of the sig
* until after we've created it, so we reserve enough bytes for it * until after we've created it, so we reserve enough bytes for it
...@@ -2524,40 +2569,40 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2524,40 +2569,40 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
siglen = EVP_PKEY_size(pkey); siglen = EVP_PKEY_size(pkey);
if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1) if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
|| EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) { || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; goto err;
} }
if (lu->sig == EVP_PKEY_RSA_PSS) { if (lu->sig == EVP_PKEY_RSA_PSS) {
if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
|| EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) { || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_EVP_LIB); ERR_R_EVP_LIB);
goto f_err; goto err;
} }
} }
tbslen = construct_key_exchange_tbs(s, &tbs, tbslen = construct_key_exchange_tbs(s, &tbs,
s->init_buf->data + paramoffset, s->init_buf->data + paramoffset,
paramlen); paramlen);
if (tbslen == 0) { if (tbslen == 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, /* SSLfatal() already called */
ERR_R_MALLOC_FAILURE); goto err;
goto f_err;
} }
rv = EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen); rv = EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen);
OPENSSL_free(tbs); OPENSSL_free(tbs);
if (rv <= 0 || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2) if (rv <= 0 || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
|| sigbytes1 != sigbytes2) { || sigbytes1 != sigbytes2) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto f_err; goto err;
} }
} }
EVP_MD_CTX_free(md_ctx); EVP_MD_CTX_free(md_ctx);
return 1; return 1;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
err: err:
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH
EVP_PKEY_free(pkdh); EVP_PKEY_free(pkdh);
...@@ -2571,22 +2616,20 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) ...@@ -2571,22 +2616,20 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
int tls_construct_certificate_request(SSL *s, WPACKET *pkt) int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
{ {
int al = SSL_AD_INTERNAL_ERROR;
if (SSL_IS_TLS13(s)) { if (SSL_IS_TLS13(s)) {
/* TODO(TLS1.3) for now send empty request context */ /* TODO(TLS1.3) for now send empty request context */
if (!WPACKET_put_bytes_u8(pkt, 0)) { if (!WPACKET_put_bytes_u8(pkt, 0)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto err; return 0;
} }
if (!tls_construct_extensions(s, pkt, if (!tls_construct_extensions(s, pkt,
SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
0, &al)) { 0)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, /* SSLfatal() already called */
ERR_R_INTERNAL_ERROR); return 0;
goto err;
} }
goto done; goto done;
} }
...@@ -2594,8 +2637,9 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) ...@@ -2594,8 +2637,9 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
/* get the list of acceptable cert types */ /* get the list of acceptable cert types */
if (!WPACKET_start_sub_packet_u8(pkt) if (!WPACKET_start_sub_packet_u8(pkt)
|| !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) { || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
goto err; SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
return 0;
} }
if (SSL_USE_SIGALGS(s)) { if (SSL_USE_SIGALGS(s)) {
...@@ -2606,26 +2650,24 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) ...@@ -2606,26 +2650,24 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
|| !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
|| !tls12_copy_sigalgs(s, pkt, psigs, nl) || !tls12_copy_sigalgs(s, pkt, psigs, nl)
|| !WPACKET_close(pkt)) { || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto err; return 0;
} }
} }
if (!construct_ca_names(s, pkt)) { if (!construct_ca_names(s, pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
goto err; return 0;
} }
done: done:
s->s3->tmp.cert_request = 1; s->s3->tmp.cert_request = 1;
return 1; return 1;
err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
return 0;
} }
static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt)
{ {
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
unsigned char psk[PSK_MAX_PSK_LEN]; unsigned char psk[PSK_MAX_PSK_LEN];
...@@ -2633,24 +2675,24 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) ...@@ -2633,24 +2675,24 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al)
PACKET psk_identity; PACKET psk_identity;
if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) { if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
return 0; return 0;
} }
if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) { if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_DATA_LENGTH_TOO_LONG); SSL_R_DATA_LENGTH_TOO_LONG);
return 0; return 0;
} }
if (s->psk_server_callback == NULL) { if (s->psk_server_callback == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_SERVER_CB); SSL_R_PSK_NO_SERVER_CB);
return 0; return 0;
} }
if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) { if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -2658,15 +2700,15 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) ...@@ -2658,15 +2700,15 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al)
psk, sizeof(psk)); psk, sizeof(psk));
if (psklen > PSK_MAX_PSK_LEN) { if (psklen > PSK_MAX_PSK_LEN) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return 0; return 0;
} else if (psklen == 0) { } else if (psklen == 0) {
/* /*
* PSK related to the given identity not found * PSK related to the given identity not found
*/ */
*al = SSL_AD_UNKNOWN_PSK_IDENTITY; SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
SSL_R_PSK_IDENTITY_NOT_FOUND); SSL_R_PSK_IDENTITY_NOT_FOUND);
return 0; return 0;
} }
...@@ -2676,8 +2718,8 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) ...@@ -2676,8 +2718,8 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al)
OPENSSL_cleanse(psk, psklen); OPENSSL_cleanse(psk, psklen);
if (s->s3->tmp.psk == NULL) { if (s->s3->tmp.psk == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE); SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
return 0; return 0;
} }
...@@ -2686,13 +2728,13 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) ...@@ -2686,13 +2728,13 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al)
return 1; return 1;
#else #else
/* Should never happen */ /* Should never happen */
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return 0; return 0;
#endif #endif
} }
static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) static int tls_process_cke_rsa(SSL *s, PACKET *pkt)
{ {
#ifndef OPENSSL_NO_RSA #ifndef OPENSSL_NO_RSA
unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
...@@ -2706,8 +2748,8 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) ...@@ -2706,8 +2748,8 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey); rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey);
if (rsa == NULL) { if (rsa == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_MISSING_RSA_CERTIFICATE); SSL_R_MISSING_RSA_CERTIFICATE);
return 0; return 0;
} }
...@@ -2717,8 +2759,8 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) ...@@ -2717,8 +2759,8 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
} else { } else {
if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster) if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
|| PACKET_remaining(pkt) != 0) { || PACKET_remaining(pkt) != 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
return 0; return 0;
} }
} }
...@@ -2730,15 +2772,15 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) ...@@ -2730,15 +2772,15 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
* their ciphertext cannot accommodate a premaster secret anyway. * their ciphertext cannot accommodate a premaster secret anyway.
*/ */
if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) { if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, RSA_R_KEY_SIZE_TOO_SMALL); RSA_R_KEY_SIZE_TOO_SMALL);
return 0; return 0;
} }
rsa_decrypt = OPENSSL_malloc(RSA_size(rsa)); rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
if (rsa_decrypt == NULL) { if (rsa_decrypt == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_MALLOC_FAILURE); ERR_R_MALLOC_FAILURE);
return 0; return 0;
} }
...@@ -2750,8 +2792,12 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) ...@@ -2750,8 +2792,12 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
* fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
*/ */
if (ssl_randbytes(s, rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0) if (ssl_randbytes(s, rand_premaster_secret,
sizeof(rand_premaster_secret)) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
}
/* /*
* Decrypt with no padding. PKCS#1 padding will be removed as part of * Decrypt with no padding. PKCS#1 padding will be removed as part of
...@@ -2761,8 +2807,11 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) ...@@ -2761,8 +2807,11 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster), decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster),
PACKET_data(&enc_premaster), PACKET_data(&enc_premaster),
rsa_decrypt, rsa, RSA_NO_PADDING); rsa_decrypt, rsa, RSA_NO_PADDING);
if (decrypt_len < 0) if (decrypt_len < 0) {
SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
}
/* Check the padding. See RFC 3447, section 7.2.2. */ /* Check the padding. See RFC 3447, section 7.2.2. */
...@@ -2772,8 +2821,8 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) ...@@ -2772,8 +2821,8 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
* PS is at least 8 bytes. * PS is at least 8 bytes.
*/ */
if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) { if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) {
*al = SSL_AD_DECRYPT_ERROR; SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_DECRYPTION_FAILED); SSL_R_DECRYPTION_FAILED);
goto err; goto err;
} }
...@@ -2840,8 +2889,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) ...@@ -2840,8 +2889,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len, if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len,
sizeof(rand_premaster_secret), 0)) { sizeof(rand_premaster_secret), 0)) {
*al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */
SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
...@@ -2857,7 +2905,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) ...@@ -2857,7 +2905,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
#endif #endif
} }
static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al) static int tls_process_cke_dhe(SSL *s, PACKET *pkt)
{ {
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH
EVP_PKEY *skey = NULL; EVP_PKEY *skey = NULL;
...@@ -2869,47 +2917,47 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al) ...@@ -2869,47 +2917,47 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al)
int ret = 0; int ret = 0;
if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) { if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
SSLerr(SSL_F_TLS_PROCESS_CKE_DHE,
SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
goto err; goto err;
} }
skey = s->s3->tmp.pkey; skey = s->s3->tmp.pkey;
if (skey == NULL) { if (skey == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY); SSL_R_MISSING_TMP_DH_KEY);
goto err; goto err;
} }
if (PACKET_remaining(pkt) == 0L) { if (PACKET_remaining(pkt) == 0L) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY); SSL_R_MISSING_TMP_DH_KEY);
goto err; goto err;
} }
if (!PACKET_get_bytes(pkt, &data, i)) { if (!PACKET_get_bytes(pkt, &data, i)) {
/* We already checked we have enough data */ /* We already checked we have enough data */
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
ckey = EVP_PKEY_new(); ckey = EVP_PKEY_new();
if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) { if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_BN_LIB); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
SSL_R_BN_LIB);
goto err; goto err;
} }
cdh = EVP_PKEY_get0_DH(ckey); cdh = EVP_PKEY_get0_DH(ckey);
pub_key = BN_bin2bn(data, i, NULL); pub_key = BN_bin2bn(data, i, NULL);
if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) { if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
ERR_R_INTERNAL_ERROR);
if (pub_key != NULL) if (pub_key != NULL)
BN_free(pub_key); BN_free(pub_key);
goto err; goto err;
} }
if (ssl_derive(s, skey, ckey, 1) == 0) { if (ssl_derive(s, skey, ckey, 1) == 0) {
*al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */
SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
...@@ -2921,13 +2969,13 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al) ...@@ -2921,13 +2969,13 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al)
return ret; return ret;
#else #else
/* Should never happen */ /* Should never happen */
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return 0; return 0;
#endif #endif
} }
static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al) static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt)
{ {
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
EVP_PKEY *skey = s->s3->tmp.pkey; EVP_PKEY *skey = s->s3->tmp.pkey;
...@@ -2936,8 +2984,8 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al) ...@@ -2936,8 +2984,8 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al)
if (PACKET_remaining(pkt) == 0L) { if (PACKET_remaining(pkt) == 0L) {
/* We don't support ECDH client auth */ /* We don't support ECDH client auth */
*al = SSL_AD_HANDSHAKE_FAILURE; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_CKE_ECDHE,
SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_MISSING_TMP_ECDH_KEY); SSL_R_MISSING_TMP_ECDH_KEY);
goto err; goto err;
} else { } else {
unsigned int i; unsigned int i;
...@@ -2951,25 +2999,25 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al) ...@@ -2951,25 +2999,25 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al)
/* Get encoded point length */ /* Get encoded point length */
if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i) if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
|| PACKET_remaining(pkt) != 0) { || PACKET_remaining(pkt) != 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto err; goto err;
} }
ckey = EVP_PKEY_new(); ckey = EVP_PKEY_new();
if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) { if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EVP_LIB); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
ERR_R_EVP_LIB);
goto err; goto err;
} }
if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) { if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) {
*al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EC_LIB); ERR_R_EC_LIB);
goto err; goto err;
} }
} }
if (ssl_derive(s, skey, ckey, 1) == 0) { if (ssl_derive(s, skey, ckey, 1) == 0) {
*al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */
SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
...@@ -2982,13 +3030,13 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al) ...@@ -2982,13 +3030,13 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al)
return ret; return ret;
#else #else
/* Should never happen */ /* Should never happen */
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return 0; return 0;
#endif #endif
} }
static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al) static int tls_process_cke_srp(SSL *s, PACKET *pkt)
{ {
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
unsigned int i; unsigned int i;
...@@ -2996,42 +3044,43 @@ static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al) ...@@ -2996,42 +3044,43 @@ static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al)
if (!PACKET_get_net_2(pkt, &i) if (!PACKET_get_net_2(pkt, &i)
|| !PACKET_get_bytes(pkt, &data, i)) { || !PACKET_get_bytes(pkt, &data, i)) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_A_LENGTH); SSL_R_BAD_SRP_A_LENGTH);
return 0; return 0;
} }
if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) { if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_BN_LIB); ERR_R_BN_LIB);
return 0; return 0;
} }
if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) { if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
*al = SSL_AD_ILLEGAL_PARAMETER; SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CKE_SRP,
SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_PARAMETERS); SSL_R_BAD_SRP_PARAMETERS);
return 0; return 0;
} }
OPENSSL_free(s->session->srp_username); OPENSSL_free(s->session->srp_username);
s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
if (s->session->srp_username == NULL) { if (s->session->srp_username == NULL) {
SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
ERR_R_MALLOC_FAILURE);
return 0; return 0;
} }
if (!srp_generate_server_master_secret(s)) { if (!srp_generate_server_master_secret(s)) {
SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
return 0; return 0;
} }
return 1; return 1;
#else #else
/* Should never happen */ /* Should never happen */
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return 0; return 0;
#endif #endif
} }
static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) static int tls_process_cke_gost(SSL *s, PACKET *pkt)
{ {
#ifndef OPENSSL_NO_GOST #ifndef OPENSSL_NO_GOST
EVP_PKEY_CTX *pkey_ctx; EVP_PKEY_CTX *pkey_ctx;
...@@ -3065,13 +3114,13 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) ...@@ -3065,13 +3114,13 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al)
pkey_ctx = EVP_PKEY_CTX_new(pk, NULL); pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
if (pkey_ctx == NULL) { if (pkey_ctx == NULL) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_MALLOC_FAILURE); ERR_R_MALLOC_FAILURE);
return 0; return 0;
} }
if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) { if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
/* /*
...@@ -3088,36 +3137,35 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) ...@@ -3088,36 +3137,35 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al)
/* Decrypt session key */ /* Decrypt session key */
sess_key_len = PACKET_remaining(pkt); sess_key_len = PACKET_remaining(pkt);
if (!PACKET_get_bytes(pkt, &data, sess_key_len)) { if (!PACKET_get_bytes(pkt, &data, sess_key_len)) {
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
/* TODO(size_t): Convert this function */ /* TODO(size_t): Convert this function */
if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag, if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag,
&Tclass, (long)sess_key_len) != V_ASN1_CONSTRUCTED &Tclass, (long)sess_key_len) != V_ASN1_CONSTRUCTED
|| Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) { || Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED); SSL_R_DECRYPTION_FAILED);
goto err; goto err;
} }
start = data; start = data;
inlen = Tlen; inlen = Tlen;
if (EVP_PKEY_decrypt if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
(pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) { inlen) <= 0) {
*al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED); SSL_R_DECRYPTION_FAILED);
goto err; goto err;
} }
/* Generate master secret */ /* Generate master secret */
if (!ssl_generate_master_secret(s, premaster_secret, if (!ssl_generate_master_secret(s, premaster_secret,
sizeof(premaster_secret), 0)) { sizeof(premaster_secret), 0)) {
*al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */
SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
/* Check if pubkey from client certificate was used */ /* Check if pubkey from client certificate was used */
if (EVP_PKEY_CTX_ctrl if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) NULL) > 0)
s->statem.no_cert_verify = 1; s->statem.no_cert_verify = 1;
ret = 1; ret = 1;
...@@ -3126,68 +3174,75 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) ...@@ -3126,68 +3174,75 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al)
return ret; return ret;
#else #else
/* Should never happen */ /* Should never happen */
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return 0; return 0;
#endif #endif
} }
MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
{ {
int al = -1;
unsigned long alg_k; unsigned long alg_k;
alg_k = s->s3->tmp.new_cipher->algorithm_mkey; alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
/* For PSK parse and retrieve identity, obtain PSK key */ /* For PSK parse and retrieve identity, obtain PSK key */
if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt, &al)) if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) {
/* SSLfatal() already called */
goto err; goto err;
}
if (alg_k & SSL_kPSK) { if (alg_k & SSL_kPSK) {
/* Identity extracted earlier: should be nothing left */ /* Identity extracted earlier: should be nothing left */
if (PACKET_remaining(pkt) != 0) { if (PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto err; goto err;
} }
/* PSK handled by ssl_generate_master_secret */ /* PSK handled by ssl_generate_master_secret */
if (!ssl_generate_master_secret(s, NULL, 0, 0)) { if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */
SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
} else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) { } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
if (!tls_process_cke_rsa(s, pkt, &al)) if (!tls_process_cke_rsa(s, pkt)) {
/* SSLfatal() already called */
goto err; goto err;
}
} else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) { } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
if (!tls_process_cke_dhe(s, pkt, &al)) if (!tls_process_cke_dhe(s, pkt)) {
/* SSLfatal() already called */
goto err; goto err;
}
} else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) { } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
if (!tls_process_cke_ecdhe(s, pkt, &al)) if (!tls_process_cke_ecdhe(s, pkt)) {
/* SSLfatal() already called */
goto err; goto err;
}
} else if (alg_k & SSL_kSRP) { } else if (alg_k & SSL_kSRP) {
if (!tls_process_cke_srp(s, pkt, &al)) if (!tls_process_cke_srp(s, pkt)) {
/* SSLfatal() already called */
goto err; goto err;
}
} else if (alg_k & SSL_kGOST) { } else if (alg_k & SSL_kGOST) {
if (!tls_process_cke_gost(s, pkt, &al)) if (!tls_process_cke_gost(s, pkt)) {
/* SSLfatal() already called */
goto err; goto err;
}
} else { } else {
al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
SSL_R_UNKNOWN_CIPHER_TYPE); SSL_R_UNKNOWN_CIPHER_TYPE);
goto err; goto err;
} }
return MSG_PROCESS_CONTINUE_PROCESSING; return MSG_PROCESS_CONTINUE_PROCESSING;
err: err:
if (al != -1)
ssl3_send_alert(s, SSL3_AL_FATAL, al);
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen); OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
s->s3->tmp.psk = NULL; s->s3->tmp.psk = NULL;
#endif #endif
ossl_statem_set_error(s);
return MSG_PROCESS_ERROR; return MSG_PROCESS_ERROR;
} }
...@@ -3209,7 +3264,9 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) ...@@ -3209,7 +3264,9 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
sizeof(sctpauthkey), labelbuffer, sizeof(sctpauthkey), labelbuffer,
sizeof(labelbuffer), NULL, 0, sizeof(labelbuffer), NULL, 0,
0) <= 0) { 0) <= 0) {
ossl_statem_set_error(s); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
return WORK_ERROR; return WORK_ERROR;
} }
...@@ -3225,15 +3282,15 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) ...@@ -3225,15 +3282,15 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
* the handshake_buffer * the handshake_buffer
*/ */
if (!ssl3_digest_cached_records(s, 0)) { if (!ssl3_digest_cached_records(s, 0)) {
ossl_statem_set_error(s); /* SSLfatal() already called */
return WORK_ERROR; return WORK_ERROR;
} }
return WORK_FINISHED_CONTINUE; return WORK_FINISHED_CONTINUE;
} else { } else {
if (!s->s3->handshake_buffer) { if (!s->s3->handshake_buffer) {
SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
ossl_statem_set_error(s);
return WORK_ERROR; return WORK_ERROR;
} }
/* /*
...@@ -3241,7 +3298,7 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) ...@@ -3241,7 +3298,7 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
* extms we've done this already so this is a no-op * extms we've done this already so this is a no-op
*/ */
if (!ssl3_digest_cached_records(s, 1)) { if (!ssl3_digest_cached_records(s, 1)) {
ossl_statem_set_error(s); /* SSLfatal() already called */
return WORK_ERROR; return WORK_ERROR;
} }
} }
...@@ -3251,7 +3308,7 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) ...@@ -3251,7 +3308,7 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
{ {
int i, al = SSL_AD_INTERNAL_ERROR; int i;
MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
X509 *x = NULL; X509 *x = NULL;
unsigned long l, llen; unsigned long l, llen;
...@@ -3261,8 +3318,9 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) ...@@ -3261,8 +3318,9 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
size_t chainidx; size_t chainidx;
if ((sk = sk_X509_new_null()) == NULL) { if ((sk = sk_X509_new_null()) == NULL) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
goto f_err; ERR_R_MALLOC_FAILURE);
goto err;
} }
/* TODO(TLS1.3): For now we ignore the context. We need to verify this */ /* TODO(TLS1.3): For now we ignore the context. We need to verify this */
...@@ -3270,31 +3328,32 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) ...@@ -3270,31 +3328,32 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
|| !PACKET_get_net_3(pkt, &llen) || !PACKET_get_net_3(pkt, &llen)
|| !PACKET_get_sub_packet(pkt, &spkt, llen) || !PACKET_get_sub_packet(pkt, &spkt, llen)
|| PACKET_remaining(pkt) != 0) { || PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto f_err; goto err;
} }
for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) { for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) {
if (!PACKET_get_net_3(&spkt, &l) if (!PACKET_get_net_3(&spkt, &l)
|| !PACKET_get_bytes(&spkt, &certbytes, l)) { || !PACKET_get_bytes(&spkt, &certbytes, l)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
SSL_R_CERT_LENGTH_MISMATCH); SSL_R_CERT_LENGTH_MISMATCH);
goto f_err; goto err;
} }
certstart = certbytes; certstart = certbytes;
x = d2i_X509(NULL, (const unsigned char **)&certbytes, l); x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
if (x == NULL) { if (x == NULL) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB); SSLfatal(s, SSL_AD_DECODE_ERROR,
goto f_err; SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
goto err;
} }
if (certbytes != (certstart + l)) { if (certbytes != (certstart + l)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
SSL_R_CERT_LENGTH_MISMATCH); SSL_R_CERT_LENGTH_MISMATCH);
goto f_err; goto err;
} }
if (SSL_IS_TLS13(s)) { if (SSL_IS_TLS13(s)) {
...@@ -3302,25 +3361,28 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) ...@@ -3302,25 +3361,28 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
PACKET extensions; PACKET extensions;
if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) { if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_BAD_LENGTH); SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
goto f_err; SSL_R_BAD_LENGTH);
goto err;
} }
if (!tls_collect_extensions(s, &extensions, if (!tls_collect_extensions(s, &extensions,
SSL_EXT_TLS1_3_CERTIFICATE, &rawexts, SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
&al, NULL, chainidx == 0) NULL, chainidx == 0)
|| !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
rawexts, x, chainidx, &al, rawexts, x, chainidx,
PACKET_remaining(&spkt) == 0)) { PACKET_remaining(&spkt) == 0)) {
OPENSSL_free(rawexts); OPENSSL_free(rawexts);
goto f_err; goto err;
} }
OPENSSL_free(rawexts); OPENSSL_free(rawexts);
} }
if (!sk_X509_push(sk, x)) { if (!sk_X509_push(sk, x)) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
goto f_err; SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
ERR_R_MALLOC_FAILURE);
goto err;
} }
x = NULL; x = NULL;
} }
...@@ -3328,43 +3390,44 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) ...@@ -3328,43 +3390,44 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
if (sk_X509_num(sk) <= 0) { if (sk_X509_num(sk) <= 0) {
/* TLS does not mind 0 certs returned */ /* TLS does not mind 0 certs returned */
if (s->version == SSL3_VERSION) { if (s->version == SSL3_VERSION) {
al = SSL_AD_HANDSHAKE_FAILURE; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
SSL_R_NO_CERTIFICATES_RETURNED); SSL_R_NO_CERTIFICATES_RETURNED);
goto f_err; goto err;
} }
/* Fail for TLS only if we required a certificate */ /* Fail for TLS only if we required a certificate */
else if ((s->verify_mode & SSL_VERIFY_PEER) && else if ((s->verify_mode & SSL_VERIFY_PEER) &&
(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED,
SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
al = SSL_AD_CERTIFICATE_REQUIRED; goto err;
goto f_err;
} }
/* No client certificate so digest cached records */ /* No client certificate so digest cached records */
if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) { if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
goto f_err; /* SSLfatal() already called */
goto err;
} }
} else { } else {
EVP_PKEY *pkey; EVP_PKEY *pkey;
i = ssl_verify_cert_chain(s, sk); i = ssl_verify_cert_chain(s, sk);
if (i <= 0) { if (i <= 0) {
al = ssl_verify_alarm_type(s->verify_result); SSLfatal(s, ssl_verify_alarm_type(s->verify_result),
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
SSL_R_CERTIFICATE_VERIFY_FAILED); SSL_R_CERTIFICATE_VERIFY_FAILED);
goto f_err; goto err;
} }
if (i > 1) { if (i > 1) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i); SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
al = SSL_AD_HANDSHAKE_FAILURE; SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
goto f_err; goto err;
} }
pkey = X509_get0_pubkey(sk_X509_value(sk, 0)); pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
if (pkey == NULL) { if (pkey == NULL) {
al = SSL3_AD_HANDSHAKE_FAILURE; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
SSL_R_UNKNOWN_CERTIFICATE_TYPE); SSL_R_UNKNOWN_CERTIFICATE_TYPE);
goto f_err; goto err;
} }
} }
...@@ -3380,9 +3443,8 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) ...@@ -3380,9 +3443,8 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
* message * message
*/ */
if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) { if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); goto err;
goto f_err;
} }
/* /*
...@@ -3396,18 +3458,13 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) ...@@ -3396,18 +3458,13 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
&& !ssl_handshake_hash(s, s->cert_verify_hash, && !ssl_handshake_hash(s, s->cert_verify_hash,
sizeof(s->cert_verify_hash), sizeof(s->cert_verify_hash),
&s->cert_verify_hash_len)) { &s->cert_verify_hash_len)) {
al = SSL_AD_INTERNAL_ERROR; /* SSLfatal() already called */
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); goto err;
goto f_err;
} }
ret = MSG_PROCESS_CONTINUE_READING; ret = MSG_PROCESS_CONTINUE_READING;
goto done;
f_err: err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
done:
X509_free(x); X509_free(x);
sk_X509_pop_free(sk, X509_free); sk_X509_pop_free(sk, X509_free);
return ret; return ret;
...@@ -3416,10 +3473,10 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) ...@@ -3416,10 +3473,10 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
int tls_construct_server_certificate(SSL *s, WPACKET *pkt) int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
{ {
CERT_PKEY *cpk = s->s3->tmp.cert; CERT_PKEY *cpk = s->s3->tmp.cert;
int al = SSL_AD_INTERNAL_ERROR;
if (cpk == NULL) { if (cpk == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -3427,10 +3484,13 @@ int tls_construct_server_certificate(SSL *s, WPACKET *pkt) ...@@ -3427,10 +3484,13 @@ int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
* In TLSv1.3 the certificate chain is always preceded by a 0 length context * In TLSv1.3 the certificate chain is always preceded by a 0 length context
* for the server Certificate message * for the server Certificate message
*/ */
if ((SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) {
|| !ssl3_output_cert_chain(s, pkt, cpk, &al)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
ssl3_send_alert(s, SSL3_AL_FATAL, al); return 0;
}
if (!ssl3_output_cert_chain(s, pkt, cpk)) {
/* SSLfatal() already called */
return 0; return 0;
} }
...@@ -3450,7 +3510,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) ...@@ -3450,7 +3510,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
SSL_CTX *tctx = s->session_ctx; SSL_CTX *tctx = s->session_ctx;
unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char iv[EVP_MAX_IV_LENGTH];
unsigned char key_name[TLSEXT_KEYNAME_LENGTH]; unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
int iv_len, al = SSL_AD_INTERNAL_ERROR; int iv_len;
size_t macoffset, macendoffset; size_t macoffset, macendoffset;
union { union {
unsigned char age_add_c[sizeof(uint32_t)]; unsigned char age_add_c[sizeof(uint32_t)];
...@@ -3458,8 +3518,12 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) ...@@ -3458,8 +3518,12 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
} age_add_u; } age_add_u;
if (SSL_IS_TLS13(s)) { if (SSL_IS_TLS13(s)) {
if (ssl_randbytes(s, age_add_u.age_add_c, sizeof(age_add_u)) <= 0) if (ssl_randbytes(s, age_add_u.age_add_c, sizeof(age_add_u)) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
}
s->session->ext.tick_age_add = age_add_u.age_add; s->session->ext.tick_age_add = age_add_u.age_add;
/* /*
* ticket_nonce is set to a single 0 byte because we only ever send a * ticket_nonce is set to a single 0 byte because we only ever send a
...@@ -3469,7 +3533,8 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) ...@@ -3469,7 +3533,8 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
OPENSSL_free(s->session->ext.tick_nonce); OPENSSL_free(s->session->ext.tick_nonce);
s->session->ext.tick_nonce = OPENSSL_zalloc(sizeof(char)); s->session->ext.tick_nonce = OPENSSL_zalloc(sizeof(char));
if (s->session->ext.tick_nonce == NULL) { if (s->session->ext.tick_nonce == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
ERR_R_MALLOC_FAILURE); ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
...@@ -3480,7 +3545,8 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) ...@@ -3480,7 +3545,8 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
s->session->ext.alpn_selected = s->session->ext.alpn_selected =
OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len); OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
if (s->session->ext.alpn_selected == NULL) { if (s->session->ext.alpn_selected == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
ERR_R_MALLOC_FAILURE); ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
...@@ -3496,42 +3562,56 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) ...@@ -3496,42 +3562,56 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
* long * long
*/ */
if (slen_full == 0 || slen_full > 0xFF00) { if (slen_full == 0 || slen_full > 0xFF00) {
SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
senc = OPENSSL_malloc(slen_full); senc = OPENSSL_malloc(slen_full);
if (senc == NULL) { if (senc == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
ctx = EVP_CIPHER_CTX_new(); ctx = EVP_CIPHER_CTX_new();
hctx = HMAC_CTX_new(); hctx = HMAC_CTX_new();
if (ctx == NULL || hctx == NULL) { if (ctx == NULL || hctx == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
p = senc; p = senc;
if (!i2d_SSL_SESSION(s->session, &p)) if (!i2d_SSL_SESSION(s->session, &p)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
goto err; goto err;
}
/* /*
* create a fresh copy (not shared with other threads) to clean up * create a fresh copy (not shared with other threads) to clean up
*/ */
const_p = senc; const_p = senc;
sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
if (sess == NULL) if (sess == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
goto err; goto err;
}
sess->session_id_length = 0; /* ID is irrelevant for the ticket */ sess->session_id_length = 0; /* ID is irrelevant for the ticket */
slen = i2d_SSL_SESSION(sess, NULL); slen = i2d_SSL_SESSION(sess, NULL);
if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */ if (slen == 0 || slen > slen_full) {
/* shouldn't ever happen */
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
SSL_SESSION_free(sess); SSL_SESSION_free(sess);
goto err; goto err;
} }
p = senc; p = senc;
if (!i2d_SSL_SESSION(sess, &p)) { if (!i2d_SSL_SESSION(sess, &p)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
SSL_SESSION_free(sess); SSL_SESSION_free(sess);
goto err; goto err;
} }
...@@ -3551,7 +3631,8 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) ...@@ -3551,7 +3631,8 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
/* Put timeout and length */ /* Put timeout and length */
if (!WPACKET_put_bytes_u32(pkt, 0) if (!WPACKET_put_bytes_u32(pkt, 0)
|| !WPACKET_put_bytes_u16(pkt, 0)) { || !WPACKET_put_bytes_u16(pkt, 0)) {
SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
...@@ -3560,22 +3641,28 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) ...@@ -3560,22 +3641,28 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
HMAC_CTX_free(hctx); HMAC_CTX_free(hctx);
return 1; return 1;
} }
if (ret < 0) if (ret < 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
SSL_R_CALLBACK_FAILED);
goto err; goto err;
}
iv_len = EVP_CIPHER_CTX_iv_length(ctx); iv_len = EVP_CIPHER_CTX_iv_length(ctx);
} else { } else {
const EVP_CIPHER *cipher = EVP_aes_256_cbc(); const EVP_CIPHER *cipher = EVP_aes_256_cbc();
iv_len = EVP_CIPHER_iv_length(cipher); iv_len = EVP_CIPHER_iv_length(cipher);
if (ssl_randbytes(s, iv, iv_len) <= 0) if (ssl_randbytes(s, iv, iv_len) <= 0
goto err; || !EVP_EncryptInit_ex(ctx, cipher, NULL,
if (!EVP_EncryptInit_ex(ctx, cipher, NULL, tctx->ext.tick_aes_key, iv)
tctx->ext.tick_aes_key, iv)) || !HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
goto err;
if (!HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
sizeof(tctx->ext.tick_hmac_key), sizeof(tctx->ext.tick_hmac_key),
EVP_sha256(), NULL)) EVP_sha256(), NULL)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
ERR_R_INTERNAL_ERROR);
goto err; goto err;
}
memcpy(key_name, tctx->ext.tick_key_name, memcpy(key_name, tctx->ext.tick_key_name,
sizeof(tctx->ext.tick_key_name)); sizeof(tctx->ext.tick_key_name));
} }
...@@ -3619,12 +3706,15 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) ...@@ -3619,12 +3706,15 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
|| hlen > EVP_MAX_MD_SIZE || hlen > EVP_MAX_MD_SIZE
|| !WPACKET_allocate_bytes(pkt, hlen, &macdata2) || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
|| macdata1 != macdata2 || macdata1 != macdata2
|| !WPACKET_close(pkt) || !WPACKET_close(pkt)) {
|| (SSL_IS_TLS13(s) SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
goto err;
}
if (SSL_IS_TLS13(s)
&& !tls_construct_extensions(s, pkt, && !tls_construct_extensions(s, pkt,
SSL_EXT_TLS1_3_NEW_SESSION_TICKET, SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
NULL, 0, &al))) { NULL, 0)) {
SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
goto err; goto err;
} }
EVP_CIPHER_CTX_free(ctx); EVP_CIPHER_CTX_free(ctx);
...@@ -3633,11 +3723,9 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) ...@@ -3633,11 +3723,9 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
return 1; return 1;
err: err:
ossl_statem_set_error(s);
OPENSSL_free(senc); OPENSSL_free(senc);
EVP_CIPHER_CTX_free(ctx); EVP_CIPHER_CTX_free(ctx);
HMAC_CTX_free(hctx); HMAC_CTX_free(hctx);
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -3676,7 +3764,6 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) ...@@ -3676,7 +3764,6 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
{ {
PACKET next_proto, padding; PACKET next_proto, padding;
size_t next_proto_len; size_t next_proto_len;
int al = SSL_AD_INTERNAL_ERROR;
/*- /*-
* The payload looks like: * The payload looks like:
...@@ -3688,34 +3775,29 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) ...@@ -3688,34 +3775,29 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
if (!PACKET_get_length_prefixed_1(pkt, &next_proto) if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
|| !PACKET_get_length_prefixed_1(pkt, &padding) || !PACKET_get_length_prefixed_1(pkt, &padding)
|| PACKET_remaining(pkt) > 0) { || PACKET_remaining(pkt) > 0) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO,
SSLerr(SSL_F_TLS_PROCESS_NEXT_PROTO, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
goto err; return MSG_PROCESS_ERROR;
} }
if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) { if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
s->ext.npn_len = 0; s->ext.npn_len = 0;
goto err; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO,
ERR_R_INTERNAL_ERROR);
return MSG_PROCESS_ERROR;
} }
s->ext.npn_len = (unsigned char)next_proto_len; s->ext.npn_len = (unsigned char)next_proto_len;
return MSG_PROCESS_CONTINUE_READING; return MSG_PROCESS_CONTINUE_READING;
err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
return MSG_PROCESS_ERROR;
} }
#endif #endif
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt) static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
{ {
int al;
if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
NULL, 0, &al)) { NULL, 0)) {
ssl3_send_alert(s, SSL3_AL_FATAL, al); /* SSLfatal() already called */
SSLerr(SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS, ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -3724,7 +3806,6 @@ static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt) ...@@ -3724,7 +3806,6 @@ static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt) static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt)
{ {
int al = SSL_AD_INTERNAL_ERROR;
size_t len = 0; size_t len = 0;
/* /*
...@@ -3732,12 +3813,17 @@ static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt) ...@@ -3732,12 +3813,17 @@ static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt)
* (should be s->version) * (should be s->version)
*/ */
if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT) if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
|| !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len) || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt,
|| !tls_construct_extensions(s, pkt, &len)) {
SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
NULL, 0, &al)) { SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR);
SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR); return 0;
goto err; }
if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
NULL, 0)) {
/* SSLfatal() already called */
return 0;
} }
/* Ditch the session. We'll create a new one next time around */ /* Ditch the session. We'll create a new one next time around */
...@@ -3749,30 +3835,27 @@ static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt) ...@@ -3749,30 +3835,27 @@ static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt)
* Re-initialise the Transcript Hash. We're going to prepopulate it with * Re-initialise the Transcript Hash. We're going to prepopulate it with
* a synthetic message_hash in place of ClientHello1. * a synthetic message_hash in place of ClientHello1.
*/ */
if (!create_synthetic_message_hash(s)) if (!create_synthetic_message_hash(s)) {
goto err; /* SSLfatal() already called */
return 0;
}
return 1; return 1;
err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
return 0;
} }
MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt)
{ {
int al = SSL_AD_INTERNAL_ERROR;
if (PACKET_remaining(pkt) != 0) { if (PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR; SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
SSLerr(SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, SSL_R_LENGTH_MISMATCH); SSL_R_LENGTH_MISMATCH);
ossl_statem_set_error(s);
return MSG_PROCESS_ERROR; return MSG_PROCESS_ERROR;
} }
if (s->early_data_state != SSL_EARLY_DATA_READING if (s->early_data_state != SSL_EARLY_DATA_READING
&& s->early_data_state != SSL_EARLY_DATA_READ_RETRY) { && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) {
SSLerr(SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
goto err; ERR_R_INTERNAL_ERROR);
return MSG_PROCESS_ERROR;
} }
/* /*
...@@ -3780,22 +3863,18 @@ MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt) ...@@ -3780,22 +3863,18 @@ MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt)
* a record boundary. * a record boundary.
*/ */
if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
al = SSL_AD_UNEXPECTED_MESSAGE; SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
SSLerr(SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
SSL_R_NOT_ON_RECORD_BOUNDARY); SSL_R_NOT_ON_RECORD_BOUNDARY);
goto err; return MSG_PROCESS_ERROR;
} }
s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
if (!s->method->ssl3_enc->change_cipher_state(s, if (!s->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) { SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) {
SSLerr(SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
goto err; return MSG_PROCESS_ERROR;
} }
return MSG_PROCESS_CONTINUE_READING; return MSG_PROCESS_CONTINUE_READING;
err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
return MSG_PROCESS_ERROR;
} }
ssl/t1_enc.c
浏览文件 @ f63a17d6
...@@ -113,15 +113,18 @@ int tls1_change_cipher_state(SSL *s, int which) ...@@ -113,15 +113,18 @@ int tls1_change_cipher_state(SSL *s, int which)
else else
s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
if (s->enc_read_ctx != NULL) if (s->enc_read_ctx != NULL) {
reuse_dd = 1; reuse_dd = 1;
else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
ERR_R_MALLOC_FAILURE);
goto err; goto err;
else } else {
/* /*
* make sure it's initialised in case we exit later with an error * make sure it's initialised in case we exit later with an error
*/ */
EVP_CIPHER_CTX_reset(s->enc_read_ctx); EVP_CIPHER_CTX_reset(s->enc_read_ctx);
}
dd = s->enc_read_ctx; dd = s->enc_read_ctx;
mac_ctx = ssl_replace_hash(&s->read_hash, NULL); mac_ctx = ssl_replace_hash(&s->read_hash, NULL);
if (mac_ctx == NULL) if (mac_ctx == NULL)
...@@ -132,9 +135,10 @@ int tls1_change_cipher_state(SSL *s, int which) ...@@ -132,9 +135,10 @@ int tls1_change_cipher_state(SSL *s, int which)
if (comp != NULL) { if (comp != NULL) {
s->expand = COMP_CTX_new(comp->method); s->expand = COMP_CTX_new(comp->method);
if (s->expand == NULL) { if (s->expand == NULL) {
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS1_CHANGE_CIPHER_STATE,
SSL_R_COMPRESSION_LIBRARY_ERROR); SSL_R_COMPRESSION_LIBRARY_ERROR);
goto err2; goto err;
} }
} }
#endif #endif
...@@ -155,30 +159,42 @@ int tls1_change_cipher_state(SSL *s, int which) ...@@ -155,30 +159,42 @@ int tls1_change_cipher_state(SSL *s, int which)
s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
else else
s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) {
reuse_dd = 1; reuse_dd = 1;
else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
ERR_R_MALLOC_FAILURE);
goto err; goto err;
}
dd = s->enc_write_ctx; dd = s->enc_write_ctx;
if (SSL_IS_DTLS(s)) { if (SSL_IS_DTLS(s)) {
mac_ctx = EVP_MD_CTX_new(); mac_ctx = EVP_MD_CTX_new();
if (mac_ctx == NULL) if (mac_ctx == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS1_CHANGE_CIPHER_STATE,
ERR_R_MALLOC_FAILURE);
goto err; goto err;
}
s->write_hash = mac_ctx; s->write_hash = mac_ctx;
} else { } else {
mac_ctx = ssl_replace_hash(&s->write_hash, NULL); mac_ctx = ssl_replace_hash(&s->write_hash, NULL);
if (mac_ctx == NULL) if (mac_ctx == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS1_CHANGE_CIPHER_STATE,
ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
}
#ifndef OPENSSL_NO_COMP #ifndef OPENSSL_NO_COMP
COMP_CTX_free(s->compress); COMP_CTX_free(s->compress);
s->compress = NULL; s->compress = NULL;
if (comp != NULL) { if (comp != NULL) {
s->compress = COMP_CTX_new(comp->method); s->compress = COMP_CTX_new(comp->method);
if (s->compress == NULL) { if (s->compress == NULL) {
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS1_CHANGE_CIPHER_STATE,
SSL_R_COMPRESSION_LIBRARY_ERROR); SSL_R_COMPRESSION_LIBRARY_ERROR);
goto err2; goto err;
} }
} }
#endif #endif
...@@ -227,8 +243,9 @@ int tls1_change_cipher_state(SSL *s, int which) ...@@ -227,8 +243,9 @@ int tls1_change_cipher_state(SSL *s, int which)
} }
if (n > s->s3->tmp.key_block_length) { if (n > s->s3->tmp.key_block_length) {
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
goto err2; ERR_R_INTERNAL_ERROR);
goto err;
} }
memcpy(mac_secret, ms, i); memcpy(mac_secret, ms, i);
...@@ -240,8 +257,9 @@ int tls1_change_cipher_state(SSL *s, int which) ...@@ -240,8 +257,9 @@ int tls1_change_cipher_state(SSL *s, int which)
if (mac_key == NULL if (mac_key == NULL
|| EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) { || EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) {
EVP_PKEY_free(mac_key); EVP_PKEY_free(mac_key);
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
goto err2; ERR_R_INTERNAL_ERROR);
goto err;
} }
EVP_PKEY_free(mac_key); EVP_PKEY_free(mac_key);
} }
...@@ -258,8 +276,9 @@ int tls1_change_cipher_state(SSL *s, int which) ...@@ -258,8 +276,9 @@ int tls1_change_cipher_state(SSL *s, int which)
if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE)) if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE))
|| !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, (int)k, || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, (int)k,
iv)) { iv)) {
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
goto err2; ERR_R_INTERNAL_ERROR);
goto err;
} }
} else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) { } else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) {
int taglen; int taglen;
...@@ -273,21 +292,24 @@ int tls1_change_cipher_state(SSL *s, int which) ...@@ -273,21 +292,24 @@ int tls1_change_cipher_state(SSL *s, int which)
|| !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL) || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL)
|| !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, (int)k, iv) || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, (int)k, iv)
|| !EVP_CipherInit_ex(dd, NULL, NULL, key, NULL, -1)) { || !EVP_CipherInit_ex(dd, NULL, NULL, key, NULL, -1)) {
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
goto err2; ERR_R_INTERNAL_ERROR);
goto err;
} }
} else { } else {
if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) { if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) {
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
goto err2; ERR_R_INTERNAL_ERROR);
goto err;
} }
} }
/* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size
&& !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, && !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY,
(int)*mac_secret_size, mac_secret)) { (int)*mac_secret_size, mac_secret)) {
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
goto err2; ERR_R_INTERNAL_ERROR);
goto err;
} }
#ifdef SSL_DEBUG #ifdef SSL_DEBUG
...@@ -312,8 +334,6 @@ int tls1_change_cipher_state(SSL *s, int which) ...@@ -312,8 +334,6 @@ int tls1_change_cipher_state(SSL *s, int which)
OPENSSL_cleanse(iv2, sizeof(iv2)); OPENSSL_cleanse(iv2, sizeof(iv2));
return 1; return 1;
err: err:
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
err2:
OPENSSL_cleanse(tmp1, sizeof(tmp1)); OPENSSL_cleanse(tmp1, sizeof(tmp1));
OPENSSL_cleanse(tmp2, sizeof(tmp1)); OPENSSL_cleanse(tmp2, sizeof(tmp1));
OPENSSL_cleanse(iv1, sizeof(iv1)); OPENSSL_cleanse(iv1, sizeof(iv1));
...@@ -336,7 +356,8 @@ int tls1_setup_key_block(SSL *s) ...@@ -336,7 +356,8 @@ int tls1_setup_key_block(SSL *s)
if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size, if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size,
&comp, s->ext.use_etm)) { &comp, s->ext.use_etm)) {
SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_SETUP_KEY_BLOCK,
SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
return 0; return 0;
} }
...@@ -350,7 +371,8 @@ int tls1_setup_key_block(SSL *s) ...@@ -350,7 +371,8 @@ int tls1_setup_key_block(SSL *s)
ssl3_cleanup_key_block(s); ssl3_cleanup_key_block(s);
if ((p = OPENSSL_malloc(num)) == NULL) { if ((p = OPENSSL_malloc(num)) == NULL) {
SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_SETUP_KEY_BLOCK,
ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
...@@ -446,10 +468,11 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, ...@@ -446,10 +468,11 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
* affect client auth because we're freezing the buffer at the same * affect client auth because we're freezing the buffer at the same
* point (after client key exchange and before certificate verify) * point (after client key exchange and before certificate verify)
*/ */
if (!ssl3_digest_cached_records(s, 1)) if (!ssl3_digest_cached_records(s, 1)
return 0; || !ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) {
if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) /* SSLfatal() already called */
return 0; return 0;
}
#ifdef SSL_DEBUG #ifdef SSL_DEBUG
fprintf(stderr, "Handshake hashes:\n"); fprintf(stderr, "Handshake hashes:\n");
BIO_dump_fp(stderr, (char *)hash, hashlen); BIO_dump_fp(stderr, (char *)hash, hashlen);
......
ssl/t1_lib.c
浏览文件 @ f63a17d6
...@@ -894,7 +894,8 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) ...@@ -894,7 +894,8 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
if (SSL_IS_TLS13(s)) { if (SSL_IS_TLS13(s)) {
/* Disallow DSA for TLS 1.3 */ /* Disallow DSA for TLS 1.3 */
if (pkeyid == EVP_PKEY_DSA) { if (pkeyid == EVP_PKEY_DSA) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE); SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
SSL_R_WRONG_SIGNATURE_TYPE);
return 0; return 0;
} }
/* Only allow PSS for TLS 1.3 */ /* Only allow PSS for TLS 1.3 */
...@@ -910,7 +911,8 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) ...@@ -910,7 +911,8 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
|| (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) || (SSL_IS_TLS13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224))
|| (pkeyid != lu->sig || (pkeyid != lu->sig
&& (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE); SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS12_CHECK_PEER_SIGALG,
SSL_R_WRONG_SIGNATURE_TYPE);
return 0; return 0;
} }
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
...@@ -918,7 +920,8 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) ...@@ -918,7 +920,8 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
/* Check point compression is permitted */ /* Check point compression is permitted */
if (!tls1_check_pkey_comp(s, pkey)) { if (!tls1_check_pkey_comp(s, pkey)) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSL_F_TLS12_CHECK_PEER_SIGALG,
SSL_R_ILLEGAL_POINT_COMPRESSION); SSL_R_ILLEGAL_POINT_COMPRESSION);
return 0; return 0;
} }
...@@ -929,27 +932,32 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) ...@@ -929,27 +932,32 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
if (lu->curve != NID_undef && curve != lu->curve) { if (lu->curve != NID_undef && curve != lu->curve) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
return 0; return 0;
} }
} }
if (!SSL_IS_TLS13(s)) { if (!SSL_IS_TLS13(s)) {
/* Check curve matches extensions */ /* Check curve matches extensions */
if (!tls1_check_group_id(s, tls1_get_group_id(pkey))) { if (!tls1_check_group_id(s, tls1_get_group_id(pkey))) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
return 0; return 0;
} }
if (tls1_suiteb(s)) { if (tls1_suiteb(s)) {
/* Check sigalg matches a permissible Suite B value */ /* Check sigalg matches a permissible Suite B value */
if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256 if (sig != TLSEXT_SIGALG_ecdsa_secp256r1_sha256
&& sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) { && sig != TLSEXT_SIGALG_ecdsa_secp384r1_sha384) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_F_TLS12_CHECK_PEER_SIGALG,
SSL_R_WRONG_SIGNATURE_TYPE); SSL_R_WRONG_SIGNATURE_TYPE);
return 0; return 0;
} }
} }
} }
} else if (tls1_suiteb(s)) { } else if (tls1_suiteb(s)) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
SSL_R_WRONG_SIGNATURE_TYPE);
return 0; return 0;
} }
#endif #endif
...@@ -963,11 +971,13 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) ...@@ -963,11 +971,13 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
/* Allow fallback to SHA1 if not strict mode */ /* Allow fallback to SHA1 if not strict mode */
if (i == sent_sigslen && (lu->hash != NID_sha1 if (i == sent_sigslen && (lu->hash != NID_sha1
|| s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) { || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE); SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
SSL_R_WRONG_SIGNATURE_TYPE);
return 0; return 0;
} }
if (!tls1_lookup_md(lu, &md)) { if (!tls1_lookup_md(lu, &md)) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST); SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
SSL_R_UNKNOWN_DIGEST);
return 0; return 0;
} }
if (md != NULL) { if (md != NULL) {
...@@ -980,7 +990,8 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) ...@@ -980,7 +990,8 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK, if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
EVP_MD_size(md) * 4, EVP_MD_type(md), EVP_MD_size(md) * 4, EVP_MD_type(md),
(void *)sigalgstr)) { (void *)sigalgstr)) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE); SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
SSL_R_WRONG_SIGNATURE_TYPE);
return 0; return 0;
} }
} }
...@@ -1074,7 +1085,6 @@ int tls_use_ticket(SSL *s) ...@@ -1074,7 +1085,6 @@ int tls_use_ticket(SSL *s)
int tls1_set_server_sigalgs(SSL *s) int tls1_set_server_sigalgs(SSL *s)
{ {
int al;
size_t i; size_t i;
/* Clear any shared signature algorithms */ /* Clear any shared signature algorithms */
...@@ -1110,17 +1120,16 @@ int tls1_set_server_sigalgs(SSL *s) ...@@ -1110,17 +1120,16 @@ int tls1_set_server_sigalgs(SSL *s)
} }
if (!tls1_process_sigalgs(s)) { if (!tls1_process_sigalgs(s)) {
SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
al = SSL_AD_INTERNAL_ERROR; SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_INTERNAL_ERROR);
goto err; return 0;
} }
if (s->cert->shared_sigalgs != NULL) if (s->cert->shared_sigalgs != NULL)
return 1; return 1;
/* Fatal error if no shared signature algorithms */ /* Fatal error if no shared signature algorithms */
SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS1_SET_SERVER_SIGALGS,
al = SSL_AD_HANDSHAKE_FAILURE; SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS);
err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
return 0; return 0;
} }
...@@ -2240,14 +2249,14 @@ static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu) ...@@ -2240,14 +2249,14 @@ static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
* Choose an appropriate signature algorithm based on available certificates * Choose an appropriate signature algorithm based on available certificates
* Sets chosen certificate and signature algorithm. * Sets chosen certificate and signature algorithm.
* *
* For servers if we fail to find a required certificate it is a fatal error * For servers if we fail to find a required certificate it is a fatal error,
* and an appropriate error code is set and the TLS alert set in *al. * an appropriate error code is set and a TLS alert is sent.
* *
* For clients al is set to NULL. If a certificate is not suitable it is not * For clients fatalerrs is set to 0. If a certificate is not suitable it is not
* a fatal error: we will either try another certificate or not present one * a fatal error: we will either try another certificate or not present one
* to the server. In this case no error is set. * to the server. In this case no error is set.
*/ */
int tls_choose_sigalg(SSL *s, int *al) int tls_choose_sigalg(SSL *s, int fatalerrs)
{ {
const SIGALG_LOOKUP *lu = NULL; const SIGALG_LOOKUP *lu = NULL;
int sig_idx = -1; int sig_idx = -1;
...@@ -2298,10 +2307,9 @@ int tls_choose_sigalg(SSL *s, int *al) ...@@ -2298,10 +2307,9 @@ int tls_choose_sigalg(SSL *s, int *al)
break; break;
} }
if (i == s->cert->shared_sigalgslen) { if (i == s->cert->shared_sigalgslen) {
if (al == NULL) if (!fatalerrs)
return 1; return 1;
*al = SSL_AD_HANDSHAKE_FAILURE; SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CHOOSE_SIGALG,
SSLerr(SSL_F_TLS_CHOOSE_SIGALG,
SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
return 0; return 0;
} }
...@@ -2354,10 +2362,10 @@ int tls_choose_sigalg(SSL *s, int *al) ...@@ -2354,10 +2362,10 @@ int tls_choose_sigalg(SSL *s, int *al)
break; break;
} }
if (i == s->cert->shared_sigalgslen) { if (i == s->cert->shared_sigalgslen) {
if (al == NULL) if (!fatalerrs)
return 1; return 1;
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
SSLerr(SSL_F_TLS_CHOOSE_SIGALG, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
} else { } else {
...@@ -2368,10 +2376,10 @@ int tls_choose_sigalg(SSL *s, int *al) ...@@ -2368,10 +2376,10 @@ int tls_choose_sigalg(SSL *s, int *al)
size_t sent_sigslen, i; size_t sent_sigslen, i;
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
if (al == NULL) if (!fatalerrs)
return 1; return 1;
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
SSLerr(SSL_F_TLS_CHOOSE_SIGALG, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -2382,19 +2390,20 @@ int tls_choose_sigalg(SSL *s, int *al) ...@@ -2382,19 +2390,20 @@ int tls_choose_sigalg(SSL *s, int *al)
break; break;
} }
if (i == sent_sigslen) { if (i == sent_sigslen) {
if (al == NULL) if (!fatalerrs)
return 1; return 1;
SSLerr(SSL_F_TLS_CHOOSE_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE); SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
*al = SSL_AD_ILLEGAL_PARAMETER; SSL_F_TLS_CHOOSE_SIGALG,
SSL_R_WRONG_SIGNATURE_TYPE);
return 0; return 0;
} }
} }
} else { } else {
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
if (al == NULL) if (!fatalerrs)
return 1; return 1;
*al = SSL_AD_INTERNAL_ERROR; SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CHOOSE_SIGALG,
SSLerr(SSL_F_TLS_CHOOSE_SIGALG, ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
} }
......
ssl/tls13_enc.c
浏览文件 @ f63a17d6
...@@ -59,6 +59,8 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, ...@@ -59,6 +59,8 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
|| !WPACKET_finish(&pkt)) { || !WPACKET_finish(&pkt)) {
EVP_PKEY_CTX_free(pctx); EVP_PKEY_CTX_free(pctx);
WPACKET_cleanup(&pkt); WPACKET_cleanup(&pkt);
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
...@@ -72,6 +74,10 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, ...@@ -72,6 +74,10 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
EVP_PKEY_CTX_free(pctx); EVP_PKEY_CTX_free(pctx);
if (ret != 0)
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
ERR_R_INTERNAL_ERROR);
return ret == 0; return ret == 0;
} }
...@@ -128,8 +134,11 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, ...@@ -128,8 +134,11 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
static const char derived_secret_label[] = "derived"; static const char derived_secret_label[] = "derived";
unsigned char preextractsec[EVP_MAX_MD_SIZE]; unsigned char preextractsec[EVP_MAX_MD_SIZE];
if (pctx == NULL) if (pctx == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET,
ERR_R_INTERNAL_ERROR);
return 0; return 0;
}
mdlen = EVP_MD_size(md); mdlen = EVP_MD_size(md);
...@@ -148,6 +157,8 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, ...@@ -148,6 +157,8 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
if (mctx == NULL if (mctx == NULL
|| EVP_DigestInit_ex(mctx, md, NULL) <= 0 || EVP_DigestInit_ex(mctx, md, NULL) <= 0
|| EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET,
ERR_R_INTERNAL_ERROR);
EVP_MD_CTX_free(mctx); EVP_MD_CTX_free(mctx);
EVP_PKEY_CTX_free(pctx); EVP_PKEY_CTX_free(pctx);
return 0; return 0;
...@@ -159,6 +170,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, ...@@ -159,6 +170,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
(unsigned char *)derived_secret_label, (unsigned char *)derived_secret_label,
sizeof(derived_secret_label) - 1, hash, mdlen, sizeof(derived_secret_label) - 1, hash, mdlen,
preextractsec, mdlen)) { preextractsec, mdlen)) {
/* SSLfatal() already called */
EVP_PKEY_CTX_free(pctx); EVP_PKEY_CTX_free(pctx);
return 0; return 0;
} }
...@@ -177,6 +189,10 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, ...@@ -177,6 +189,10 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
|| EVP_PKEY_derive(pctx, outsecret, &mdlen) || EVP_PKEY_derive(pctx, outsecret, &mdlen)
<= 0; <= 0;
if (ret != 0)
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET,
ERR_R_INTERNAL_ERROR);
EVP_PKEY_CTX_free(pctx); EVP_PKEY_CTX_free(pctx);
if (prevsecret == preextractsec) if (prevsecret == preextractsec)
OPENSSL_cleanse(preextractsec, mdlen); OPENSSL_cleanse(preextractsec, mdlen);
...@@ -191,6 +207,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, ...@@ -191,6 +207,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
int tls13_generate_handshake_secret(SSL *s, const unsigned char *insecret, int tls13_generate_handshake_secret(SSL *s, const unsigned char *insecret,
size_t insecretlen) size_t insecretlen)
{ {
/* Calls SSLfatal() if required */
return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret, return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret,
insecret, insecretlen, insecret, insecretlen,
(unsigned char *)&s->handshake_secret); (unsigned char *)&s->handshake_secret);
...@@ -208,6 +225,7 @@ int tls13_generate_master_secret(SSL *s, unsigned char *out, ...@@ -208,6 +225,7 @@ int tls13_generate_master_secret(SSL *s, unsigned char *out,
const EVP_MD *md = ssl_handshake_md(s); const EVP_MD *md = ssl_handshake_md(s);
*secret_size = EVP_MD_size(md); *secret_size = EVP_MD_size(md);
/* Calls SSLfatal() if required */
return tls13_generate_secret(s, md, prev, NULL, 0, out); return tls13_generate_secret(s, md, prev, NULL, 0, out);
} }
...@@ -261,7 +279,8 @@ int tls13_setup_key_block(SSL *s) ...@@ -261,7 +279,8 @@ int tls13_setup_key_block(SSL *s)
s->session->cipher = s->s3->tmp.new_cipher; s->session->cipher = s->s3->tmp.new_cipher;
if (!ssl_cipher_get_evp if (!ssl_cipher_get_evp
(s->session, &c, &hash, &mac_type, NULL, NULL, 0)) { (s->session, &c, &hash, &mac_type, NULL, NULL, 0)) {
SSLerr(SSL_F_TLS13_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SETUP_KEY_BLOCK,
SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
return 0; return 0;
} }
...@@ -285,7 +304,7 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, ...@@ -285,7 +304,7 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen, if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen,
secret, hashlen)) { secret, hashlen)) {
SSLerr(SSL_F_DERIVE_SECRET_KEY_AND_IV, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
goto err; goto err;
} }
...@@ -312,7 +331,7 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, ...@@ -312,7 +331,7 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
if (!tls13_derive_key(s, md, secret, key, keylen) if (!tls13_derive_key(s, md, secret, key, keylen)
|| !tls13_derive_iv(s, md, secret, iv, ivlen)) { || !tls13_derive_iv(s, md, secret, iv, ivlen)) {
SSLerr(SSL_F_DERIVE_SECRET_KEY_AND_IV, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
goto err; goto err;
} }
...@@ -321,7 +340,8 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, ...@@ -321,7 +340,8 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
|| (taglen != 0 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, || (taglen != 0 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG,
taglen, NULL)) taglen, NULL))
|| EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) { || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) {
SSLerr(SSL_F_DERIVE_SECRET_KEY_AND_IV, ERR_R_EVP_LIB); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV,
ERR_R_EVP_LIB);
goto err; goto err;
} }
...@@ -361,7 +381,8 @@ int tls13_change_cipher_state(SSL *s, int which) ...@@ -361,7 +381,8 @@ int tls13_change_cipher_state(SSL *s, int which)
} else { } else {
s->enc_read_ctx = EVP_CIPHER_CTX_new(); s->enc_read_ctx = EVP_CIPHER_CTX_new();
if (s->enc_read_ctx == NULL) { if (s->enc_read_ctx == NULL) {
SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
} }
...@@ -375,7 +396,8 @@ int tls13_change_cipher_state(SSL *s, int which) ...@@ -375,7 +396,8 @@ int tls13_change_cipher_state(SSL *s, int which)
} else { } else {
s->enc_write_ctx = EVP_CIPHER_CTX_new(); s->enc_write_ctx = EVP_CIPHER_CTX_new();
if (s->enc_write_ctx == NULL) { if (s->enc_write_ctx == NULL) {
SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
} }
...@@ -401,7 +423,8 @@ int tls13_change_cipher_state(SSL *s, int which) ...@@ -401,7 +423,8 @@ int tls13_change_cipher_state(SSL *s, int which)
handlen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); handlen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
if (handlen <= 0) { if (handlen <= 0) {
SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS13_CHANGE_CIPHER_STATE,
SSL_R_BAD_HANDSHAKE_LENGTH); SSL_R_BAD_HANDSHAKE_LENGTH);
goto err; goto err;
} }
...@@ -417,14 +440,16 @@ int tls13_change_cipher_state(SSL *s, int which) ...@@ -417,14 +440,16 @@ int tls13_change_cipher_state(SSL *s, int which)
if (!ossl_assert(s->psksession != NULL if (!ossl_assert(s->psksession != NULL
&& s->max_early_data == && s->max_early_data ==
s->psksession->ext.max_early_data)) { s->psksession->ext.max_early_data)) {
SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS13_CHANGE_CIPHER_STATE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
sslcipher = SSL_SESSION_get0_cipher(s->psksession); sslcipher = SSL_SESSION_get0_cipher(s->psksession);
} }
if (sslcipher == NULL) { if (sslcipher == NULL) {
SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, SSL_R_BAD_PSK); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS13_CHANGE_CIPHER_STATE, SSL_R_BAD_PSK);
goto err; goto err;
} }
...@@ -435,7 +460,8 @@ int tls13_change_cipher_state(SSL *s, int which) ...@@ -435,7 +460,8 @@ int tls13_change_cipher_state(SSL *s, int which)
*/ */
mdctx = EVP_MD_CTX_new(); mdctx = EVP_MD_CTX_new();
if (mdctx == NULL) { if (mdctx == NULL) {
SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
cipher = EVP_get_cipherbynid(SSL_CIPHER_get_cipher_nid(sslcipher)); cipher = EVP_get_cipherbynid(SSL_CIPHER_get_cipher_nid(sslcipher));
...@@ -443,7 +469,8 @@ int tls13_change_cipher_state(SSL *s, int which) ...@@ -443,7 +469,8 @@ int tls13_change_cipher_state(SSL *s, int which)
if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL) if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL)
|| !EVP_DigestUpdate(mdctx, hdata, handlen) || !EVP_DigestUpdate(mdctx, hdata, handlen)
|| !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) { || !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) {
SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
EVP_MD_CTX_free(mdctx); EVP_MD_CTX_free(mdctx);
goto err; goto err;
} }
...@@ -501,7 +528,7 @@ int tls13_change_cipher_state(SSL *s, int which) ...@@ -501,7 +528,7 @@ int tls13_change_cipher_state(SSL *s, int which)
cipher = s->s3->tmp.new_sym_enc; cipher = s->s3->tmp.new_sym_enc;
if (!ssl3_digest_cached_records(s, 1) if (!ssl3_digest_cached_records(s, 1)
|| !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) { || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) {
SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */;
goto err; goto err;
} }
} }
...@@ -526,7 +553,7 @@ int tls13_change_cipher_state(SSL *s, int which) ...@@ -526,7 +553,7 @@ int tls13_change_cipher_state(SSL *s, int which)
sizeof(resumption_master_secret) - 1, sizeof(resumption_master_secret) - 1,
hashval, hashlen, s->session->master_key, hashval, hashlen, s->session->master_key,
hashlen)) { hashlen)) {
SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
goto err; goto err;
} }
s->session->master_key_length = hashlen; s->session->master_key_length = hashlen;
...@@ -537,7 +564,7 @@ int tls13_change_cipher_state(SSL *s, int which) ...@@ -537,7 +564,7 @@ int tls13_change_cipher_state(SSL *s, int which)
sizeof(exporter_master_secret) - 1, sizeof(exporter_master_secret) - 1,
hash, hashlen, s->exporter_master_secret, hash, hashlen, s->exporter_master_secret,
hashlen)) { hashlen)) {
SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
goto err; goto err;
} }
} }
...@@ -545,6 +572,7 @@ int tls13_change_cipher_state(SSL *s, int which) ...@@ -545,6 +572,7 @@ int tls13_change_cipher_state(SSL *s, int which)
if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher, if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher,
insecret, hash, label, labellen, secret, iv, insecret, hash, label, labellen, secret, iv,
ciph_ctx)) { ciph_ctx)) {
/* SSLfatal() already called */
goto err; goto err;
} }
...@@ -554,14 +582,14 @@ int tls13_change_cipher_state(SSL *s, int which) ...@@ -554,14 +582,14 @@ int tls13_change_cipher_state(SSL *s, int which)
memcpy(s->client_app_traffic_secret, secret, hashlen); memcpy(s->client_app_traffic_secret, secret, hashlen);
if (!ssl_log_secret(s, log_label, secret, hashlen)) { if (!ssl_log_secret(s, log_label, secret, hashlen)) {
SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
goto err; goto err;
} }
if (finsecret != NULL if (finsecret != NULL
&& !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret, && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret,
finsecret, finsecretlen)) { finsecret, finsecretlen)) {
SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); /* SSLfatal() already called */
goto err; goto err;
} }
...@@ -600,8 +628,10 @@ int tls13_update_key(SSL *s, int sending) ...@@ -600,8 +628,10 @@ int tls13_update_key(SSL *s, int sending)
s->s3->tmp.new_sym_enc, insecret, NULL, s->s3->tmp.new_sym_enc, insecret, NULL,
application_traffic, application_traffic,
sizeof(application_traffic) - 1, secret, iv, sizeof(application_traffic) - 1, secret, iv,
ciph_ctx)) ciph_ctx)) {
/* SSLfatal() already called */
goto err; goto err;
}
memcpy(insecret, secret, hashlen); memcpy(insecret, secret, hashlen);
......
ssl/tls_srp.c
浏览文件 @ f63a17d6
...@@ -257,9 +257,13 @@ int srp_generate_server_master_secret(SSL *s) ...@@ -257,9 +257,13 @@ int srp_generate_server_master_secret(SSL *s)
goto err; goto err;
tmp_len = BN_num_bytes(K); tmp_len = BN_num_bytes(K);
if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_SRP_GENERATE_SERVER_MASTER_SECRET, ERR_R_MALLOC_FAILURE);
goto err; goto err;
}
BN_bn2bin(K, tmp); BN_bn2bin(K, tmp);
/* Calls SSLfatal() as required */
ret = ssl_generate_master_secret(s, tmp, tmp_len, 1); ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
err: err:
BN_clear_free(K); BN_clear_free(K);
......
test/tls13secretstest.c
浏览文件 @ f63a17d6
...@@ -207,6 +207,11 @@ const EVP_MD *ssl_md(int idx) ...@@ -207,6 +207,11 @@ const EVP_MD *ssl_md(int idx)
return EVP_sha256(); return EVP_sha256();
} }
void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
int line)
{
}
/* End of mocked out code */ /* End of mocked out code */
static int test_secret(SSL *s, unsigned char *prk, static int test_secret(SSL *s, unsigned char *prk,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册