diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2020-01-20 13:10:38 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2020-01-20 13:10:38 +0000 |
| commit | 562bc692fe4670bfd2a4b5ec728fb5f5f41bbc00 (patch) | |
| tree | 96db1571c8f6903dc91a971e9cb21b3122b74768 | |
| parent | c385348cf630caedd10ae29eabc4729eea2f3bc7 (diff) | |
Provide an error framework for use with the TLSv1.3 code.
This is based on the libtls error handling code, but adds machine readable
codes and subcodes. We then map these codes back to libssl error codes.
ok beck@ inoguchi@
| -rw-r--r-- | lib/libssl/Makefile | 3 | ||||
| -rw-r--r-- | lib/libssl/tls13_client.c | 4 | ||||
| -rw-r--r-- | lib/libssl/tls13_error.c | 99 | ||||
| -rw-r--r-- | lib/libssl/tls13_internal.h | 29 | ||||
| -rw-r--r-- | lib/libssl/tls13_lib.c | 23 |
5 files changed, 151 insertions, 7 deletions
diff --git a/lib/libssl/Makefile b/lib/libssl/Makefile index 778b525224a..e3b9a5cac91 100644 --- a/lib/libssl/Makefile +++ b/lib/libssl/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.57 2019/11/17 06:35:30 jsing Exp $ +# $OpenBSD: Makefile,v 1.58 2020/01/20 13:10:37 jsing Exp $ .include <bsd.own.mk> .ifndef NOMAN @@ -67,6 +67,7 @@ SRCS= \ t1_lib.c \ tls13_buffer.c \ tls13_client.c \ + tls13_error.c \ tls13_handshake.c \ tls13_handshake_msg.c \ tls13_key_schedule.c \ diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c index 6dcf8c85b67..07b9ede3454 100644 --- a/lib/libssl/tls13_client.c +++ b/lib/libssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.19 2019/11/17 06:30:12 jsing Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.20 2020/01/20 13:10:37 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> * @@ -499,6 +499,8 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx) if (ssl_verify_cert_chain(s, certs) <= 0 && s->verify_mode != SSL_VERIFY_NONE) { /* XXX send alert */ + tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, + "failed to verify peer certificate", NULL); goto err; } ERR_clear_error(); diff --git a/lib/libssl/tls13_error.c b/lib/libssl/tls13_error.c new file mode 100644 index 00000000000..295b6c4fab0 --- /dev/null +++ b/lib/libssl/tls13_error.c @@ -0,0 +1,99 @@ +/* $OpenBSD: tls13_error.c,v 1.1 2020/01/20 13:10:37 jsing Exp $ */ +/* + * Copyright (c) 2014,2019 Joel Sing <jsing@openbsd.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include <errno.h> + +#include "tls13_internal.h" + +void +tls13_error_clear(struct tls13_error *error) +{ + error->code = 0; + error->subcode = 0; + error->errnum = 0; + error->file = NULL; + error->line = 0; + free(error->msg); + error->msg = NULL; +} + +static int +tls13_error_vset(struct tls13_error *error, int code, int subcode, int errnum, + const char *file, int line, const char *fmt, va_list ap) +{ + char *errmsg = NULL; + int rv = -1; + + tls13_error_clear(error); + + error->code = code; + error->subcode = subcode; + error->errnum = errnum; + error->file = file; + error->line = line; + + if (vasprintf(&errmsg, fmt, ap) == -1) { + errmsg = NULL; + goto err; + } + + if (errnum == -1) { + error->msg = errmsg; + return 0; + } + + if (asprintf(&error->msg, "%s: %s", errmsg, strerror(errnum)) == -1) { + error->msg = NULL; + goto err; + } + rv = 0; + + err: + free(errmsg); + + return rv; +} + +int +tls13_error_set(struct tls13_error *error, int code, int subcode, + const char *file, int line, const char *fmt, ...) +{ + va_list ap; + int errnum, rv; + + errnum = errno; + + va_start(ap, fmt); + rv = tls13_error_vset(error, code, subcode, errnum, file, line, fmt, ap); + va_end(ap); + + return (rv); +} + +int +tls13_error_setx(struct tls13_error *error, int code, int subcode, + const char *file, int line, const char *fmt, ...) +{ + va_list ap; + int rv; + + va_start(ap, fmt); + rv = tls13_error_vset(error, code, subcode, -1, file, line, fmt, ap); + va_end(ap); + + return (rv); +} diff --git a/lib/libssl/tls13_internal.h b/lib/libssl/tls13_internal.h index b33e4818af8..41833f233f3 100644 --- a/lib/libssl/tls13_internal.h +++ b/lib/libssl/tls13_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_internal.h,v 1.36 2019/11/26 23:46:18 beck Exp $ */ +/* $OpenBSD: tls13_internal.h,v 1.37 2020/01/20 13:10:37 jsing Exp $ */ /* * Copyright (c) 2018 Bob Beck <beck@openbsd.org> * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> @@ -37,6 +37,8 @@ __BEGIN_HIDDEN_DECLS #define TLS13_IO_WANT_POLLOUT -3 #define TLS13_IO_USE_LEGACY -4 +#define TLS13_ERR_VERIFY_FAILED 16 + typedef void (*tls13_alert_cb)(uint8_t _alert_desc, void *_cb_arg); typedef ssize_t (*tls13_phh_recv_cb)(void *_cb_arg, CBS *cbs); typedef void (*tls13_phh_sent_cb)(void *_cb_arg); @@ -160,7 +162,18 @@ struct tls13_handshake_stage { struct ssl_handshake_tls13_st; +struct tls13_error { + int code; + int subcode; + int errnum; + const char *file; + int line; + char *msg; +}; + struct tls13_ctx { + struct tls13_error error; + SSL *ssl; struct ssl_handshake_tls13_st *hs; uint8_t mode; @@ -261,6 +274,20 @@ int tls13_server_certificate_verify_recv(struct tls13_ctx *ctx); int tls13_server_finished_recv(struct tls13_ctx *ctx); int tls13_server_finished_send(struct tls13_ctx *ctx); +void tls13_error_clear(struct tls13_error *error); + +int tls13_error_set(struct tls13_error *error, int code, int subcode, + const char *file, int line, const char *fmt, ...); +int tls13_error_setx(struct tls13_error *error, int code, int subcode, + const char *file, int line, const char *fmt, ...); + +#define tls13_set_error(ctx, code, subcode, fmt, ...) \ + tls13_error_set(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \ + (fmt), __VA_ARGS__) +#define tls13_set_errorx(ctx, code, subcode, fmt, ...) \ + tls13_error_setx(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \ + (fmt), __VA_ARGS__) + __END_HIDDEN_DECLS #endif diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c index 6876528f50d..d30d28c45f7 100644 --- a/lib/libssl/tls13_lib.c +++ b/lib/libssl/tls13_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.13 2019/11/26 23:46:18 beck Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.14 2020/01/20 13:10:37 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> * Copyright (c) 2019 Bob Beck <beck@openbsd.org> @@ -263,6 +263,7 @@ tls13_ctx_free(struct tls13_ctx *ctx) if (ctx == NULL) return; + tls13_error_clear(&ctx->error); tls13_record_layer_free(ctx->rl); freezero(ctx, sizeof(struct tls13_ctx)); @@ -340,6 +341,22 @@ tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg) return tls13_legacy_wire_write(ctx->ssl, buf, n); } +static void +tls13_legacy_error(SSL *ssl) +{ + struct tls13_ctx *ctx = ssl->internal->tls13; + int reason = ERR_R_INTERNAL_ERROR; + + switch (ctx->error.code) { + case TLS13_ERR_VERIFY_FAILED: + reason = SSL_R_CERTIFICATE_VERIFY_FAILED; + break; + } + + ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file, + ctx->error.line); +} + int tls13_legacy_return_code(SSL *ssl, ssize_t ret) { @@ -359,9 +376,7 @@ tls13_legacy_return_code(SSL *ssl, ssize_t ret) return 0; case TLS13_IO_FAILURE: - /* XXX - we need to record/map internal errors. */ - if (ERR_peek_error() == 0) - SSLerror(ssl, ERR_R_INTERNAL_ERROR); + tls13_legacy_error(ssl); return -1; case TLS13_IO_WANT_POLLIN: |