diff options
author | Matt Caswell <matt@openssl.org> | 2017-11-21 17:18:43 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-12-04 13:31:48 +0000 |
commit | f63a17d66dec01c123630682e0b20450b34c086a (patch) | |
tree | 6f12a8572a3f21bca6bec20941fa3793369230b0 /ssl/statem/statem_clnt.c | |
parent | 4752c5deb20cae92a7146c4b89ad41045a041970 (diff) |
Convert the state machine code to use SSLfatal()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)
Diffstat (limited to 'ssl/statem/statem_clnt.c')
-rw-r--r-- | ssl/statem/statem_clnt.c | 727 |
1 files changed, 370 insertions, 357 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 0a68264b66..e5aefa30ad 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -363,8 +363,9 @@ int ossl_statem_client_read_transition(SSL *s, int mt) err: /* No valid transition found */ - ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE); - SSLerr(SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE); + SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, + SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION, + SSL_R_UNEXPECTED_MESSAGE); return 0; } @@ -585,7 +586,7 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s) */ if (ssl3_renegotiate_check(s, 1)) { if (!tls_setup_handshake(s)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ return WRITE_TRAN_ERROR; } st->hand_state = TLS_ST_CW_CLNT_HELLO; @@ -614,7 +615,7 @@ WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst) if (SSL_IS_DTLS(s)) { /* every DTLS ClientHello resets Finished MAC */ if (!ssl3_init_finished_mac(s)) { - ossl_statem_set_error(s); + /* SSLfatal() already called */ return WORK_ERROR; } } @@ -787,6 +788,9 @@ int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt, switch (st->hand_state) { default: /* Shouldn't happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE, + SSL_R_BAD_HANDSHAKE_STATE); return 0; case TLS_ST_CW_CHANGE: @@ -993,7 +997,6 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) unsigned char *p; size_t sess_id_len; int i, protverr; - int al = SSL_AD_HANDSHAKE_FAILURE; #ifndef OPENSSL_NO_COMP SSL_COMP *comp; #endif @@ -1001,22 +1004,26 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) if (!WPACKET_set_max_size(pkt, SSL3_RT_MAX_PLAIN_LENGTH)) { /* Should not happen */ - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); return 0; } /* Work out what SSL/TLS/DTLS version to use */ protverr = ssl_set_client_hello_version(s); if (protverr != 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, protverr); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + protverr); return 0; } if (sess == NULL || !ssl_version_supported(s, sess->ssl_version) || !SSL_SESSION_is_resumable(sess)) { - if (!ssl_get_new_session(s, 0)) + if (!ssl_get_new_session(s, 0)) { + /* SSLfatal() already called */ return 0; + } } /* else use the pre-loaded session */ @@ -1040,8 +1047,11 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) } if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random), - DOWNGRADE_NONE) <= 0) + DOWNGRADE_NONE) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); return 0; + } /*- * version indicates the negotiated version: for example from @@ -1078,7 +1088,8 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) */ if (!WPACKET_put_bytes_u16(pkt, s->client_version) || !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); return 0; } @@ -1092,7 +1103,8 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) || (sess_id_len != 0 && !WPACKET_memcpy(pkt, s->session->session_id, sess_id_len)) || !WPACKET_close(pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); return 0; } @@ -1101,27 +1113,33 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) if (s->d1->cookie_len > sizeof(s->d1->cookie) || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie, s->d1->cookie_len)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); return 0; } } /* Ciphers supported */ if (!WPACKET_start_sub_packet_u16(pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); return 0; } /* ssl_cipher_list_to_bytes() raises SSLerr if appropriate */ - if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) + if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) { + /* SSLfatal() already called */ return 0; + } if (!WPACKET_close(pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); return 0; } /* COMPRESSION */ if (!WPACKET_start_sub_packet_u8(pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); return 0; } #ifndef OPENSSL_NO_COMP @@ -1132,7 +1150,9 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) for (i = 0; i < compnum; i++) { comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); if (!WPACKET_put_bytes_u8(pkt, comp->id)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); return 0; } } @@ -1140,13 +1160,14 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) #endif /* Add the NULL method */ if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, + ERR_R_INTERNAL_ERROR); return 0; } /* TLS extensions */ - if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0, &al)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) { + /* SSLfatal() already called */ return 0; } @@ -1155,36 +1176,31 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt) { - int al; size_t cookie_len; PACKET cookiepkt; if (!PACKET_forward(pkt, 2) || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS_PROCESS_HELLO_VERIFY, + SSL_R_LENGTH_MISMATCH); + return MSG_PROCESS_ERROR; } cookie_len = PACKET_remaining(&cookiepkt); if (cookie_len > sizeof(s->d1->cookie)) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS_PROCESS_HELLO_VERIFY, + SSL_R_LENGTH_TOO_LONG); + return MSG_PROCESS_ERROR; } if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS_PROCESS_HELLO_VERIFY, + SSL_R_LENGTH_MISMATCH); + return MSG_PROCESS_ERROR; } s->d1->cookie_len = cookie_len; return MSG_PROCESS_FINISHED_READING; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); - return MSG_PROCESS_ERROR; } static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) @@ -1196,7 +1212,8 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) c = ssl_get_cipher_by_char(s, cipherchars, 0); if (c == NULL) { /* unknown cipher */ - SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, SSL_R_UNKNOWN_CIPHER_RETURNED); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, + SSL_R_UNKNOWN_CIPHER_RETURNED); return 0; } /* @@ -1204,7 +1221,8 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) * or it's not allowed for the selected protocol. So we return an error. */ if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) { - SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, SSL_R_WRONG_CIPHER_RETURNED); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, + SSL_R_WRONG_CIPHER_RETURNED); return 0; } @@ -1212,14 +1230,16 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) i = sk_SSL_CIPHER_find(sk, c); if (i < 0) { /* we did not say we would use this cipher */ - SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, SSL_R_WRONG_CIPHER_RETURNED); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, + SSL_R_WRONG_CIPHER_RETURNED); return 0; } if (SSL_IS_TLS13(s) && s->s3->tmp.new_cipher != NULL && s->s3->tmp.new_cipher->id != c->id) { /* ServerHello selected a different ciphersuite to that in the HRR */ - SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, SSL_R_WRONG_CIPHER_RETURNED); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, + SSL_R_WRONG_CIPHER_RETURNED); return 0; } @@ -1238,8 +1258,9 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) */ if (ssl_md(c->algorithm2) != ssl_md(s->session->cipher->algorithm2)) { - SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, - SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_SET_CLIENT_CIPHERSUITE, + SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED); return 0; } } else { @@ -1247,8 +1268,8 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) * Prior to TLSv1.3 resuming a session always meant using the same * ciphersuite. */ - SSLerr(SSL_F_SET_CLIENT_CIPHERSUITE, - SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE, + SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); return 0; } } @@ -1273,16 +1294,16 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) #endif if (!PACKET_get_net_2(pkt, &sversion)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; } /* load the server random */ if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; } /* @@ -1292,8 +1313,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) */ protverr = ssl_choose_client_version(s, sversion, 1, &al); if (protverr != 0) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, protverr); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + protverr); + goto err; } /* @@ -1301,25 +1323,25 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) * message must be on a record boundary. */ if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_NOT_ON_RECORD_BOUNDARY); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_NOT_ON_RECORD_BOUNDARY); + goto err; } /* Get the session-id. */ if (!SSL_IS_TLS13(s)) { if (!PACKET_get_length_prefixed_1(pkt, &session_id)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; } session_id_len = PACKET_remaining(&session_id); if (session_id_len > sizeof s->session->session_id || session_id_len > SSL3_SESSION_ID_SIZE) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, - SSL_R_SSL3_SESSION_ID_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_SSL3_SESSION_ID_TOO_LONG); + goto err; } } else { PACKET_null_init(&session_id); @@ -1327,16 +1349,16 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) } if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; } if (!SSL_IS_TLS13(s)) { if (!PACKET_get_1(pkt, &compression)) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_LENGTH_MISMATCH); + goto err; } } else { compression = 0; @@ -1347,15 +1369,17 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) PACKET_null_init(&extpkt); } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt) || PACKET_remaining(pkt) != 0) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_BAD_LENGTH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_BAD_LENGTH); + goto err; } context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO : SSL_EXT_TLS1_2_SERVER_HELLO; - if (!tls_collect_extensions(s, &extpkt, context, &extensions, &al, NULL, 1)) - goto f_err; + if (!tls_collect_extensions(s, &extpkt, context, &extensions, NULL, 1)) { + /* SSLfatal() already called */ + goto err; + } s->hit = 0; @@ -1363,8 +1387,10 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) /* This will set s->hit if we are resuming */ if (!tls_parse_extension(s, TLSEXT_IDX_psk, SSL_EXT_TLS1_3_SERVER_HELLO, - extensions, NULL, 0, &al)) - goto f_err; + extensions, NULL, 0l)) { + /* SSLfatal() already called */ + goto err; + } } else { /* * Check if we can resume the session based on external pre-shared @@ -1396,9 +1422,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) s->session->cipher = pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0); } else { - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR); + goto err; } } @@ -1413,10 +1439,10 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) if (s->sid_ctx_length != s->session->sid_ctx_length || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { /* actually a client application bug */ - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, - SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); + goto err; } } else { /* @@ -1433,7 +1459,8 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) CRYPTO_atomic_add(&s->session_ctx->stats.sess_miss, 1, &discard, s->session_ctx->lock); if (!ssl_get_new_session(s, 0)) { - goto f_err; + /* SSLfatal() already called */ + goto err; } } @@ -1447,11 +1474,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) /* Session version and negotiated protocol version should match */ if (s->version != s->session->ssl_version) { - al = SSL_AD_PROTOCOL_VERSION; - - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, - SSL_R_SSL_SESSION_VERSION_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_SSL_SESSION_VERSION_MISMATCH); + goto err; } /* * Now that we know the version, update the check to see if it's an allowed @@ -1461,54 +1486,54 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) s->s3->tmp.max_ver = s->version; if (!set_client_ciphersuite(s, cipherchars)) { - al = SSL_AD_ILLEGAL_PARAMETER; - goto f_err; + /* SSLfatal() already called */ + goto err; } #ifdef OPENSSL_NO_COMP if (compression != 0) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, - SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); + goto err; } /* * If compression is disabled we'd better not try to resume a session * using compression. */ if (s->session->compress_meth != 0) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INCONSISTENT_COMPRESSION); - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_INCONSISTENT_COMPRESSION); + goto err; } #else if (s->hit && compression != s->session->compress_meth) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); - goto f_err; + goto err; } if (compression == 0) comp = NULL; else if (!ssl_allow_compression(s)) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_COMPRESSION_DISABLED); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_COMPRESSION_DISABLED); + goto err; } else { comp = ssl3_comp_find(s->ctx->comp_methods, compression); } if (compression != 0 && comp == NULL) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, - SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO, + SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); + goto err; } else { s->s3->tmp.new_compression = comp; } #endif - if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, &al, 1)) - goto f_err; + if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) { + /* SSLfatal() already called */ + goto err; + } #ifndef OPENSSL_NO_SCTP if (SSL_IS_DTLS(s) && s->hit) { @@ -1525,8 +1550,11 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) if (SSL_export_keying_material(s, sctpauthkey, sizeof(sctpauthkey), labelbuffer, - sizeof(labelbuffer), NULL, 0, 0) <= 0) - goto f_err; + sizeof(labelbuffer), NULL, 0, 0) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO, + ERR_R_INTERNAL_ERROR); + goto err; + } BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, @@ -1542,16 +1570,13 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) && (!s->method->ssl3_enc->setup_key_block(s) || !s->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_CANNOT_CHANGE_CIPHER); - goto f_err; + /* SSLfatal() already called */ + goto err; } OPENSSL_free(extensions); return MSG_PROCESS_CONTINUE_READING; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); + err: OPENSSL_free(extensions); return MSG_PROCESS_ERROR; } @@ -1561,20 +1586,20 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) unsigned int sversion; const unsigned char *cipherchars; RAW_EXTENSION *extensions = NULL; - int al; PACKET extpkt; if (!PACKET_get_net_2(pkt, &sversion)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, + SSL_R_LENGTH_MISMATCH); + goto err; } /* TODO(TLS1.3): Remove the TLS1_3_VERSION_DRAFT clause before release */ if (sversion != TLS1_3_VERSION && sversion != TLS1_3_VERSION_DRAFT) { - SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_R_WRONG_SSL_VERSION); - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, + SSL_R_WRONG_SSL_VERSION); + goto err; } s->hello_retry_request = 1; @@ -1587,14 +1612,14 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) s->enc_write_ctx = NULL; if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) { - SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_R_LENGTH_MISMATCH); - al = SSL_AD_DECODE_ERROR; - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, + SSL_R_LENGTH_MISMATCH); + goto err; } if (!set_client_ciphersuite(s, cipherchars)) { - al = SSL_AD_ILLEGAL_PARAMETER; - goto f_err; + /* SSLfatal() already called */ + goto err; } if (!PACKET_as_length_prefixed_2(pkt, &extpkt) @@ -1602,16 +1627,18 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) || PACKET_remaining(&extpkt) == 0 /* Must be no trailing data after extensions */ || PACKET_remaining(pkt) != 0) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_R_BAD_LENGTH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, + SSL_R_BAD_LENGTH); + goto err; } if (!tls_collect_extensions(s, &extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, - &extensions, &al, NULL, 1) + &extensions, NULL, 1) || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, - extensions, NULL, 0, &al, 1)) - goto f_err; + extensions, NULL, 0, 1)) { + /* SSLfatal() already called */ + goto err; + } OPENSSL_free(extensions); extensions = NULL; @@ -1625,10 +1652,10 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) * We didn't receive a cookie or a new key_share so the next * ClientHello will not change */ - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, - SSL_R_NO_CHANGE_FOLLOWING_HRR); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, + SSL_R_NO_CHANGE_FOLLOWING_HRR); + goto err; } /* @@ -1636,8 +1663,8 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) * a synthetic message_hash in place of ClientHello1. */ if (!create_synthetic_message_hash(s)) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; + /* SSLfatal() already called */ + goto err; } /* @@ -1648,22 +1675,19 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) */ if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + SSL3_HM_HEADER_LENGTH)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR); - goto f_err; + /* SSLfatal() already called */ + goto err; } return MSG_PROCESS_FINISHED_READING; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - ossl_statem_set_error(s); + err: OPENSSL_free(extensions); return MSG_PROCESS_ERROR; } MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) { - int al, i; + int i; MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; unsigned long cert_list_len, cert_len; X509 *x = NULL; @@ -1675,7 +1699,8 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) const SSL_CERT_LOOKUP *clu; if ((sk = sk_X509_new_null()) == NULL) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + ERR_R_MALLOC_FAILURE); goto err; } @@ -1684,31 +1709,31 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) || !PACKET_get_net_3(pkt, &cert_list_len) || PACKET_remaining(pkt) != cert_list_len || PACKET_remaining(pkt) == 0) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + SSL_R_LENGTH_MISMATCH); + goto err; } for (chainidx = 0; PACKET_remaining(pkt); chainidx++) { if (!PACKET_get_net_3(pkt, &cert_len) || !PACKET_get_bytes(pkt, &certbytes, cert_len)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, - SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + SSL_R_CERT_LENGTH_MISMATCH); + goto err; } certstart = certbytes; x = d2i_X509(NULL, (const unsigned char **)&certbytes, cert_len); if (x == NULL) { - al = SSL_AD_BAD_CERTIFICATE; - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_ASN1_LIB); - goto f_err; + SSLfatal(s, SSL_AD_BAD_CERTIFICATE, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_ASN1_LIB); + goto err; } if (certbytes != (certstart + cert_len)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, - SSL_R_CERT_LENGTH_MISMATCH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + SSL_R_CERT_LENGTH_MISMATCH); + goto err; } if (SSL_IS_TLS13(s)) { @@ -1716,24 +1741,28 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) PACKET extensions; if (!PACKET_get_length_prefixed_2(pkt, &extensions)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_BAD_LENGTH); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + SSL_R_BAD_LENGTH); + goto err; } if (!tls_collect_extensions(s, &extensions, SSL_EXT_TLS1_3_CERTIFICATE, &rawexts, - &al, NULL, chainidx == 0) + NULL, chainidx == 0) || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, - rawexts, x, chainidx, &al, + rawexts, x, chainidx, PACKET_remaining(pkt) == 0)) { OPENSSL_free(rawexts); - goto f_err; + /* SSLfatal already called */ + goto err; } OPENSSL_free(rawexts); } if (!sk_X509_push(sk, x)) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + ERR_R_MALLOC_FAILURE); goto err; } x = NULL; @@ -1755,16 +1784,16 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) * set. The *documented* interface remains the same. */ if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) { - al = ssl_verify_alarm_type(s->verify_result); - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, - SSL_R_CERTIFICATE_VERIFY_FAILED); - goto f_err; + SSLfatal(s, ssl_verify_alarm_type(s->verify_result), + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + SSL_R_CERTIFICATE_VERIFY_FAILED); + goto err; } ERR_clear_error(); /* but we keep s->verify_result */ if (i > 1) { - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, i); - al = SSL_AD_HANDSHAKE_FAILURE; - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, i); + goto err; } s->session->peer_chain = sk; @@ -1779,18 +1808,17 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) { x = NULL; - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, - SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); + goto err; } if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL) { x = NULL; - al = SSL3_AL_FATAL; - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, - SSL_R_UNKNOWN_CERTIFICATE_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + SSL_R_UNKNOWN_CERTIFICATE_TYPE); + goto err; } /* * Check certificate type is consistent with ciphersuite. For TLS 1.3 @@ -1800,10 +1828,10 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) if (!SSL_IS_TLS13(s)) { if ((clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0) { x = NULL; - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, - SSL_R_WRONG_CERTIFICATE_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, + SSL_R_WRONG_CERTIFICATE_TYPE); + goto err; } } s->session->peer_type = certidx; @@ -1819,19 +1847,13 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) && !ssl_handshake_hash(s, s->cert_verify_hash, sizeof(s->cert_verify_hash), &s->cert_verify_hash_len)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); - goto f_err; + /* SSLfatal() already called */; + goto err; } ret = MSG_PROCESS_CONTINUE_READING; - goto done; - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); err: - ossl_statem_set_error(s); - done: X509_free(x); sk_X509_pop_free(sk, X509_free); return ret; @@ -2169,12 +2191,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto err; } - rv = tls12_check_peer_sigalg(s, sigalg, pkey); - if (rv == -1) { - al = SSL_AD_INTERNAL_ERROR; - goto err; - } else if (rv == 0) { - al = SSL_AD_DECODE_ERROR; + if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) { + /* SSLfatal() already called */ goto err; |