5 files changed, 151 insertions, 7 deletions
diff --git a/src/lib/libssl/Makefile b/src/lib/libssl/Makefile
index 778b525224..e3b9a5cac9 100644
--- a/src/lib/libssl/Makefile
+++ b/src/lib/libssl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.57 2019/11/17 06:35:30 jsing Exp $
+# $OpenBSD: Makefile,v 1.58 2020/01/20 13:10:37 jsing Exp $
 .include <bsd.own.mk>
 .ifndef NOMAN
@@ -67,6 +67,7 @@ SRCS= \
        t1_lib.c \
        tls13_buffer.c \
        tls13_client.c \
+        tls13_error.c \
        tls13_handshake.c \
        tls13_handshake_msg.c \
        tls13_key_schedule.c \
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 6dcf8c85b6..07b9ede345 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.19 2019/11/17 06:30:12 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.20 2020/01/20 13:10:37 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -499,6 +499,8 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx)
        if (ssl_verify_cert_chain(s, certs) <= 0 &&
            s->verify_mode != SSL_VERIFY_NONE) {
                /* XXX send alert */
+                tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
+                    "failed to verify peer certificate", NULL);
                goto err;
        }
        ERR_clear_error();
diff --git a/src/lib/libssl/tls13_error.c b/src/lib/libssl/tls13_error.c
new file mode 100644
index 0000000000..295b6c4fab
--- /dev/null
+++ b/src/lib/libssl/tls13_error.c
@@ -0,0 +1,99 @@
+/* $OpenBSD: tls13_error.c,v 1.1 2020/01/20 13:10:37 jsing Exp $ */
+/*
+ * Copyright (c) 2014,2019 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <errno.h>
+#include "tls13_internal.h"
+void
+tls13_error_clear(struct tls13_error *error)
+{
+        error->code = 0;
+        error->subcode = 0;
+        error->errnum = 0;
+        error->file = NULL;
+        error->line = 0;
+        free(error->msg);
+        error->msg = NULL;
+}
+static int
+tls13_error_vset(struct tls13_error *error, int code, int subcode, int errnum,
+    const char *file, int line, const char *fmt, va_list ap)
+{
+        char *errmsg = NULL;
+        int rv = -1;
+        tls13_error_clear(error);
+        error->code = code;
+        error->subcode = subcode;
+        error->errnum = errnum;
+        error->file = file;
+        error->line = line;
+        if (vasprintf(&errmsg, fmt, ap) == -1) {
+                errmsg = NULL;
+                goto err;
+        }
+        if (errnum == -1) {
+                error->msg = errmsg;
+                return 0;
+        }
+        if (asprintf(&error->msg, "%s: %s", errmsg, strerror(errnum)) == -1) {
+                error->msg = NULL;
+                goto err;
+        }
+        rv = 0;
+ err:
+        free(errmsg);
+        return rv;
+}
+int
+tls13_error_set(struct tls13_error *error, int code, int subcode,
+    const char *file, int line, const char *fmt, ...)
+{
+        va_list ap;
+        int errnum, rv;
+        errnum = errno;
+        va_start(ap, fmt);
+        rv = tls13_error_vset(error, code, subcode, errnum, file, line, fmt, ap);
+        va_end(ap);
+        return (rv);
+}
+int
+tls13_error_setx(struct tls13_error *error, int code, int subcode,
+    const char *file, int line, const char *fmt, ...)
+{
+        va_list ap;
+        int rv;
+        va_start(ap, fmt);
+        rv = tls13_error_vset(error, code, subcode, -1, file, line, fmt, ap);
+        va_end(ap);
+        return (rv);
+}
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index b33e4818af..41833f233f 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.36 2019/11/26 23:46:18 beck Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.37 2020/01/20 13:10:37 jsing Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -37,6 +37,8 @@ __BEGIN_HIDDEN_DECLS
 #define TLS13_IO_WANT_POLLOUT   -3
 #define TLS13_IO_USE_LEGACY     -4
+#define TLS13_ERR_VERIFY_FAILED 16
 typedef void (*tls13_alert_cb)(uint8_t _alert_desc, void *_cb_arg);
 typedef ssize_t (*tls13_phh_recv_cb)(void *_cb_arg, CBS *cbs);
 typedef void (*tls13_phh_sent_cb)(void *_cb_arg);
@@ -160,7 +162,18 @@ struct tls13_handshake_stage {
 struct ssl_handshake_tls13_st;
+struct tls13_error {
+        int code;
+        int subcode;
+        int errnum;
+        const char *file;
+        int line;
+        char *msg;
+};
 struct tls13_ctx {
+        struct tls13_error error;
        SSL *ssl;
        struct ssl_handshake_tls13_st *hs;
        uint8_t mode;
@@ -261,6 +274,20 @@ int tls13_server_certificate_verify_recv(struct tls13_ctx *ctx);
 int tls13_server_finished_recv(struct tls13_ctx *ctx);
 int tls13_server_finished_send(struct tls13_ctx *ctx);
+void tls13_error_clear(struct tls13_error *error);
+int tls13_error_set(struct tls13_error *error, int code, int subcode,
+    const char *file, int line, const char *fmt, ...);
+int tls13_error_setx(struct tls13_error *error, int code, int subcode,
+    const char *file, int line, const char *fmt, ...);
+#define tls13_set_error(ctx, code, subcode, fmt, ...) \
+        tls13_error_set(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \
+            (fmt), __VA_ARGS__)
+#define tls13_set_errorx(ctx, code, subcode, fmt, ...) \
+        tls13_error_setx(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \
+            (fmt), __VA_ARGS__)
 __END_HIDDEN_DECLS
 #endif
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 6876528f50..d30d28c45f 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.13 2019/11/26 23:46:18 beck Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.14 2020/01/20 13:10:37 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -263,6 +263,7 @@ tls13_ctx_free(struct tls13_ctx *ctx)
        if (ctx == NULL)
                return;
+        tls13_error_clear(&ctx->error);
        tls13_record_layer_free(ctx->rl);
        freezero(ctx, sizeof(struct tls13_ctx));
@@ -340,6 +341,22 @@ tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg)
        return tls13_legacy_wire_write(ctx->ssl, buf, n);
 }
+static void
+tls13_legacy_error(SSL *ssl)
+{
+        struct tls13_ctx *ctx = ssl->internal->tls13;
+        int reason = ERR_R_INTERNAL_ERROR;
+        switch (ctx->error.code) {
+        case TLS13_ERR_VERIFY_FAILED:
+                reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
+                break;
+        }
+        ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
+            ctx->error.line);
+}
 int
 tls13_legacy_return_code(SSL *ssl, ssize_t ret)
 {
@@ -359,9 +376,7 @@ tls13_legacy_return_code(SSL *ssl, ssize_t ret)
                return 0;
        case TLS13_IO_FAILURE:
-                /* XXX - we need to record/map internal errors. */
+                tls13_legacy_error(ssl);
-                if (ERR_peek_error() == 0)
-                        SSLerror(ssl, ERR_R_INTERNAL_ERROR);
                return -1;
        case TLS13_IO_WANT_POLLIN:

diff --git a/src/lib/libssl/Makefile b/src/lib/libssl/Makefile index 778b525224..e3b9a5cac9 100644 --- a/src/lib/libssl/Makefile +++ b/src/lib/libssl/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.57 2019/11/17 06:35:30 jsing Exp $	1	# $OpenBSD: Makefile,v 1.58 2020/01/20 13:10:37 jsing Exp $
2		2
3	.include <bsd.own.mk>	3	.include <bsd.own.mk>
4	.ifndef NOMAN	4	.ifndef NOMAN
@@ -67,6 +67,7 @@ SRCS= \
67	t1_lib.c \	67	t1_lib.c \
68	tls13_buffer.c \	68	tls13_buffer.c \
69	tls13_client.c \	69	tls13_client.c \
		70	tls13_error.c \
70	tls13_handshake.c \	71	tls13_handshake.c \
71	tls13_handshake_msg.c \	72	tls13_handshake_msg.c \
72	tls13_key_schedule.c \	73	tls13_key_schedule.c \


diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 6dcf8c85b6..07b9ede345 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.19 2019/11/17 06:30:12 jsing Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.20 2020/01/20 13:10:37 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -499,6 +499,8 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx)
499	if (ssl_verify_cert_chain(s, certs) <= 0 &&	499	if (ssl_verify_cert_chain(s, certs) <= 0 &&
500	s->verify_mode != SSL_VERIFY_NONE) {	500	s->verify_mode != SSL_VERIFY_NONE) {
501	/* XXX send alert */	501	/* XXX send alert */
		502	tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
		503	"failed to verify peer certificate", NULL);
502	goto err;	504	goto err;
503	}	505	}
504	ERR_clear_error();	506	ERR_clear_error();


diff --git a/src/lib/libssl/tls13_error.c b/src/lib/libssl/tls13_error.c new file mode 100644 index 0000000000..295b6c4fab --- /dev/null +++ b/src/lib/libssl/tls13_error.c
@@ -0,0 +1,99 @@
		1	/* $OpenBSD: tls13_error.c,v 1.1 2020/01/20 13:10:37 jsing Exp $ */
		2	/*
		3	* Copyright (c) 2014,2019 Joel Sing <jsing@openbsd.org>
		4	*
		5	* Permission to use, copy, modify, and distribute this software for any
		6	* purpose with or without fee is hereby granted, provided that the above
		7	* copyright notice and this permission notice appear in all copies.
		8	*
		9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		16	*/
		17
		18	#include <errno.h>
		19
		20	#include "tls13_internal.h"
		21
		22	void
		23	tls13_error_clear(struct tls13_error *error)
		24	{
		25	error->code = 0;
		26	error->subcode = 0;
		27	error->errnum = 0;
		28	error->file = NULL;
		29	error->line = 0;
		30	free(error->msg);
		31	error->msg = NULL;
		32	}
		33
		34	static int
		35	tls13_error_vset(struct tls13_error *error, int code, int subcode, int errnum,
		36	const char file, int line, const char fmt, va_list ap)
		37	{
		38	char *errmsg = NULL;
		39	int rv = -1;
		40
		41	tls13_error_clear(error);
		42
		43	error->code = code;
		44	error->subcode = subcode;
		45	error->errnum = errnum;
		46	error->file = file;
		47	error->line = line;
		48
		49	if (vasprintf(&errmsg, fmt, ap) == -1) {
		50	errmsg = NULL;
		51	goto err;
		52	}
		53
		54	if (errnum == -1) {
		55	error->msg = errmsg;
		56	return 0;
		57	}
		58
		59	if (asprintf(&error->msg, "%s: %s", errmsg, strerror(errnum)) == -1) {
		60	error->msg = NULL;
		61	goto err;
		62	}
		63	rv = 0;
		64
		65	err:
		66	free(errmsg);
		67
		68	return rv;
		69	}
		70
		71	int
		72	tls13_error_set(struct tls13_error *error, int code, int subcode,
		73	const char file, int line, const char fmt, ...)
		74	{
		75	va_list ap;
		76	int errnum, rv;
		77
		78	errnum = errno;
		79
		80	va_start(ap, fmt);
		81	rv = tls13_error_vset(error, code, subcode, errnum, file, line, fmt, ap);
		82	va_end(ap);
		83
		84	return (rv);
		85	}
		86
		87	int
		88	tls13_error_setx(struct tls13_error *error, int code, int subcode,
		89	const char file, int line, const char fmt, ...)
		90	{
		91	va_list ap;
		92	int rv;
		93
		94	va_start(ap, fmt);
		95	rv = tls13_error_vset(error, code, subcode, -1, file, line, fmt, ap);
		96	va_end(ap);
		97
		98	return (rv);
		99	}


diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index b33e4818af..41833f233f 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_internal.h,v 1.36 2019/11/26 23:46:18 beck Exp $ */	1	/* $OpenBSD: tls13_internal.h,v 1.37 2020/01/20 13:10:37 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -37,6 +37,8 @@ __BEGIN_HIDDEN_DECLS
37	#define TLS13_IO_WANT_POLLOUT -3	37	#define TLS13_IO_WANT_POLLOUT -3
38	#define TLS13_IO_USE_LEGACY -4	38	#define TLS13_IO_USE_LEGACY -4
39		39
		40	#define TLS13_ERR_VERIFY_FAILED 16
		41
40	typedef void (tls13_alert_cb)(uint8_t _alert_desc, void _cb_arg);	42	typedef void (tls13_alert_cb)(uint8_t _alert_desc, void _cb_arg);
41	typedef ssize_t (tls13_phh_recv_cb)(void _cb_arg, CBS *cbs);	43	typedef ssize_t (tls13_phh_recv_cb)(void _cb_arg, CBS *cbs);
42	typedef void (tls13_phh_sent_cb)(void _cb_arg);	44	typedef void (tls13_phh_sent_cb)(void _cb_arg);
@@ -160,7 +162,18 @@ struct tls13_handshake_stage {
160		162
161	struct ssl_handshake_tls13_st;	163	struct ssl_handshake_tls13_st;
162		164
		165	struct tls13_error {
		166	int code;
		167	int subcode;
		168	int errnum;
		169	const char *file;
		170	int line;
		171	char *msg;
		172	};
		173
163	struct tls13_ctx {	174	struct tls13_ctx {
		175	struct tls13_error error;
		176
164	SSL *ssl;	177	SSL *ssl;
165	struct ssl_handshake_tls13_st *hs;	178	struct ssl_handshake_tls13_st *hs;
166	uint8_t mode;	179	uint8_t mode;
@@ -261,6 +274,20 @@ int tls13_server_certificate_verify_recv(struct tls13_ctx *ctx);
261	int tls13_server_finished_recv(struct tls13_ctx *ctx);	274	int tls13_server_finished_recv(struct tls13_ctx *ctx);
262	int tls13_server_finished_send(struct tls13_ctx *ctx);	275	int tls13_server_finished_send(struct tls13_ctx *ctx);
263		276
		277	void tls13_error_clear(struct tls13_error *error);
		278
		279	int tls13_error_set(struct tls13_error *error, int code, int subcode,
		280	const char file, int line, const char fmt, ...);
		281	int tls13_error_setx(struct tls13_error *error, int code, int subcode,
		282	const char file, int line, const char fmt, ...);
		283
		284	#define tls13_set_error(ctx, code, subcode, fmt, ...) \
		285	tls13_error_set(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \
		286	(fmt), __VA_ARGS__)
		287	#define tls13_set_errorx(ctx, code, subcode, fmt, ...) \
		288	tls13_error_setx(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \
		289	(fmt), __VA_ARGS__)
		290
264	__END_HIDDEN_DECLS	291	__END_HIDDEN_DECLS
265		292
266	#endif	293	#endif


diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index 6876528f50..d30d28c45f 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_lib.c,v 1.13 2019/11/26 23:46:18 beck Exp $ */	1	/* $OpenBSD: tls13_lib.c,v 1.14 2020/01/20 13:10:37 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -263,6 +263,7 @@ tls13_ctx_free(struct tls13_ctx *ctx)
263	if (ctx == NULL)	263	if (ctx == NULL)
264	return;	264	return;
265		265
		266	tls13_error_clear(&ctx->error);
266	tls13_record_layer_free(ctx->rl);	267	tls13_record_layer_free(ctx->rl);
267		268
268	freezero(ctx, sizeof(struct tls13_ctx));	269	freezero(ctx, sizeof(struct tls13_ctx));
@@ -340,6 +341,22 @@ tls13_legacy_wire_write_cb(const void buf, size_t n, void arg)
340	return tls13_legacy_wire_write(ctx->ssl, buf, n);	341	return tls13_legacy_wire_write(ctx->ssl, buf, n);
341	}	342	}
342		343
		344	static void
		345	tls13_legacy_error(SSL *ssl)
		346	{
		347	struct tls13_ctx *ctx = ssl->internal->tls13;
		348	int reason = ERR_R_INTERNAL_ERROR;
		349
		350	switch (ctx->error.code) {
		351	case TLS13_ERR_VERIFY_FAILED:
		352	reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
		353	break;
		354	}
		355
		356	ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
		357	ctx->error.line);
		358	}
		359
343	int	360	int
344	tls13_legacy_return_code(SSL *ssl, ssize_t ret)	361	tls13_legacy_return_code(SSL *ssl, ssize_t ret)
345	{	362	{
@@ -359,9 +376,7 @@ tls13_legacy_return_code(SSL *ssl, ssize_t ret)
359	return 0;	376	return 0;
360		377
361	case TLS13_IO_FAILURE:	378	case TLS13_IO_FAILURE:
362	/* XXX - we need to record/map internal errors. */	379	tls13_legacy_error(ssl);
363	if (ERR_peek_error() == 0)
364	SSLerror(ssl, ERR_R_INTERNAL_ERROR);
365	return -1;	380	return -1;
366		381
367	case TLS13_IO_WANT_POLLIN:	382	case TLS13_IO_WANT_POLLIN: