summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authorjsing <>2020-01-23 02:49:38 +0000
committerjsing <>2020-01-23 02:49:38 +0000
commitb70929d8816a98e03f2a44de9ee1c07edde90382 (patch)
tree57ca5e667e9100c8bbc3b880854a9337c1f4e5f2 /src/lib
parentcd57d3e792c4bb00f2fc86958119e7c341203865 (diff)
downloadopenbsd-b70929d8816a98e03f2a44de9ee1c07edde90382.tar.gz
openbsd-b70929d8816a98e03f2a44de9ee1c07edde90382.tar.bz2
openbsd-b70929d8816a98e03f2a44de9ee1c07edde90382.zip
Add a TLS13_IO_ALERT return value so that we can explicitly signal when
we sent or received a fatal alert. Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure). ok beck@ tb@
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libssl/tls13_internal.h9
-rw-r--r--src/lib/libssl/tls13_lib.c13
-rw-r--r--src/lib/libssl/tls13_record_layer.c11
3 files changed, 22 insertions, 11 deletions
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index d8a74ef67a..4d6d626433 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_internal.h,v 1.46 2020/01/23 02:24:38 jsing Exp $ */ 1/* $OpenBSD: tls13_internal.h,v 1.47 2020/01/23 02:49:38 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> 4 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -33,9 +33,10 @@ __BEGIN_HIDDEN_DECLS
33#define TLS13_IO_SUCCESS 1 33#define TLS13_IO_SUCCESS 1
34#define TLS13_IO_EOF 0 34#define TLS13_IO_EOF 0
35#define TLS13_IO_FAILURE -1 35#define TLS13_IO_FAILURE -1
36#define TLS13_IO_WANT_POLLIN -2 36#define TLS13_IO_ALERT -2
37#define TLS13_IO_WANT_POLLOUT -3 37#define TLS13_IO_WANT_POLLIN -3
38#define TLS13_IO_USE_LEGACY -4 38#define TLS13_IO_WANT_POLLOUT -4
39#define TLS13_IO_USE_LEGACY -5
39 40
40#define TLS13_ERR_VERIFY_FAILED 16 41#define TLS13_ERR_VERIFY_FAILED 16
41#define TLS13_ERR_HRR_FAILED 17 42#define TLS13_ERR_HRR_FAILED 17
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 51a2a383ed..727f617471 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_lib.c,v 1.21 2020/01/22 13:10:51 jsing Exp $ */ 1/* $OpenBSD: tls13_lib.c,v 1.22 2020/01/23 02:49:38 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2019 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -349,6 +349,10 @@ tls13_legacy_error(SSL *ssl)
349 struct tls13_ctx *ctx = ssl->internal->tls13; 349 struct tls13_ctx *ctx = ssl->internal->tls13;
350 int reason = SSL_R_UNKNOWN; 350 int reason = SSL_R_UNKNOWN;
351 351
352 /* If we received a fatal alert we already put an error on the stack. */
353 if (S3I(ssl)->fatal_alert != 0)
354 return;
355
352 switch (ctx->error.code) { 356 switch (ctx->error.code) {
353 case TLS13_ERR_VERIFY_FAILED: 357 case TLS13_ERR_VERIFY_FAILED:
354 reason = SSL_R_CERTIFICATE_VERIFY_FAILED; 358 reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
@@ -384,8 +388,11 @@ tls13_legacy_return_code(SSL *ssl, ssize_t ret)
384 return 0; 388 return 0;
385 389
386 case TLS13_IO_FAILURE: 390 case TLS13_IO_FAILURE:
387 if (S3I(ssl)->fatal_alert == 0) 391 tls13_legacy_error(ssl);
388 tls13_legacy_error(ssl); 392 return -1;
393
394 case TLS13_IO_ALERT:
395 tls13_legacy_error(ssl);
389 return -1; 396 return -1;
390 397
391 case TLS13_IO_WANT_POLLIN: 398 case TLS13_IO_WANT_POLLIN:
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index 4de7340999..f6dbbf1550 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_record_layer.c,v 1.22 2020/01/22 06:23:00 jsing Exp $ */ 1/* $OpenBSD: tls13_record_layer.c,v 1.23 2020/01/23 02:49:38 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -278,7 +278,7 @@ tls13_record_layer_process_alert(struct tls13_record_layer *rl)
278 } else if (alert_level == SSL3_AL_FATAL) { 278 } else if (alert_level == SSL3_AL_FATAL) {
279 rl->read_closed = 1; 279 rl->read_closed = 1;
280 rl->write_closed = 1; 280 rl->write_closed = 1;
281 ret = TLS13_IO_FAILURE; /* XXX - ALERT? */ 281 ret = TLS13_IO_ALERT;
282 } else 282 } else
283 return tls13_send_alert(rl, SSL_AD_ILLEGAL_PARAMETER); 283 return tls13_send_alert(rl, SSL_AD_ILLEGAL_PARAMETER);
284 284
@@ -293,8 +293,11 @@ tls13_record_layer_send_alert(struct tls13_record_layer *rl)
293 293
294 /* This has to fit into a single record, per RFC 8446 section 5.1. */ 294 /* This has to fit into a single record, per RFC 8446 section 5.1. */
295 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT, 295 if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT,
296 rl->alert_data, rl->alert_len)) != rl->alert_len) 296 rl->alert_data, rl->alert_len)) != rl->alert_len) {
297 if (ret == TLS13_IO_EOF)
298 ret = TLS13_IO_ALERT;
297 return ret; 299 return ret;
300 }
298 301
299 freezero(rl->alert_data, rl->alert_len); 302 freezero(rl->alert_data, rl->alert_len);
300 rl->alert_data = NULL; 303 rl->alert_data = NULL;
@@ -309,7 +312,7 @@ tls13_record_layer_send_alert(struct tls13_record_layer *rl)
309 } else { 312 } else {
310 rl->read_closed = 1; 313 rl->read_closed = 1;
311 rl->write_closed = 1; 314 rl->write_closed = 1;
312 ret = TLS13_IO_SUCCESS; /* XXX - ALERT? */ 315 ret = TLS13_IO_ALERT;
313 } 316 }
314 317
315 return ret; 318 return ret;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 07:51:05 +0000