The branch master has been updated via 921d84a0ad2e70ad91b6e1b06573e97162387f8a (commit) via 5591a6132ea210b89813d18a852ec2f28b5e2486 (commit) via c28533829395183eec027969c0c8d28574f2a3cc (commit) via 99dd374055e9179eea082d4c37fd19ed8814fb22 (commit) via 196f2cbb789333ee1ac1a1ec0de654c8bef4eb59 (commit) from a0fda2cf2dac8bc0d309261b3aaf4027a188b08c (commit)
- Log ----------------------------------------------------------------- commit 921d84a0ad2e70ad91b6e1b06573e97162387f8a Author: Matt Caswell <m...@openssl.org> Date: Mon Dec 4 16:54:59 2017 +0000 Convert the remaining functions in the record layer to use SSLfatal() Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4841) commit 5591a6132ea210b89813d18a852ec2f28b5e2486 Author: Matt Caswell <m...@openssl.org> Date: Mon Dec 4 16:21:53 2017 +0000 Convert dlts1_write_bytes() to use SSLfatal() Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4841) commit c28533829395183eec027969c0c8d28574f2a3cc Author: Matt Caswell <m...@openssl.org> Date: Mon Dec 4 16:16:37 2017 +0000 More record layer conversions to use SSLfatal() Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4841) commit 99dd374055e9179eea082d4c37fd19ed8814fb22 Author: Matt Caswell <m...@openssl.org> Date: Mon Dec 4 14:47:04 2017 +0000 Convert ssl3_read_bytes() to use SSLfatal() Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4841) commit 196f2cbb789333ee1ac1a1ec0de654c8bef4eb59 Author: Matt Caswell <m...@openssl.org> Date: Mon Dec 4 14:28:35 2017 +0000 Update ssl3_get_record() to use SSLfatal() Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4841) ----------------------------------------------------------------------- Summary of changes: crypto/err/openssl.txt | 2 + include/openssl/sslerr.h | 2 + ssl/d1_lib.c | 8 +- ssl/record/rec_layer_d1.c | 156 +++++++++------- ssl/record/rec_layer_s3.c | 252 ++++++++++++++++---------- ssl/record/record_locl.h | 2 +- ssl/record/ssl3_buffer.c | 27 ++- ssl/record/ssl3_record.c | 393 +++++++++++++++++++++++------------------ ssl/record/ssl3_record_tls13.c | 29 ++- ssl/ssl_err.c | 2 + ssl/statem/statem_dtls.c | 2 +- 11 files changed, 522 insertions(+), 353 deletions(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 932fc46..308abae 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1043,6 +1043,7 @@ SSL_F_SSL3_CTRL:213:ssl3_ctrl SSL_F_SSL3_CTX_CTRL:133:ssl3_ctx_ctrl SSL_F_SSL3_DIGEST_CACHED_RECORDS:293:ssl3_digest_cached_records SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC:292:ssl3_do_change_cipher_spec +SSL_F_SSL3_ENC:608:ssl3_enc SSL_F_SSL3_FINAL_FINISH_MAC:285:ssl3_final_finish_mac SSL_F_SSL3_FINISH_MAC:587:ssl3_finish_mac SSL_F_SSL3_GENERATE_KEY_BLOCK:238:ssl3_generate_key_block @@ -1197,6 +1198,7 @@ SSL_F_STATE_MACHINE:353:state_machine SSL_F_TLS12_CHECK_PEER_SIGALG:333:tls12_check_peer_sigalg SSL_F_TLS12_COPY_SIGALGS:533:tls12_copy_sigalgs SSL_F_TLS13_CHANGE_CIPHER_STATE:440:tls13_change_cipher_state +SSL_F_TLS13_ENC:609:tls13_enc SSL_F_TLS13_FINAL_FINISH_MAC:605:tls13_final_finish_mac SSL_F_TLS13_GENERATE_SECRET:591:tls13_generate_secret SSL_F_TLS13_HKDF_EXPAND:561:tls13_hkdf_expand diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index ef6b9dd..b54459b 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -97,6 +97,7 @@ int ERR_load_SSL_strings(void); # define SSL_F_SSL3_CTX_CTRL 133 # define SSL_F_SSL3_DIGEST_CACHED_RECORDS 293 # define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 292 +# define SSL_F_SSL3_ENC 608 # define SSL_F_SSL3_FINAL_FINISH_MAC 285 # define SSL_F_SSL3_FINISH_MAC 587 # define SSL_F_SSL3_GENERATE_KEY_BLOCK 238 @@ -249,6 +250,7 @@ int ERR_load_SSL_strings(void); # define SSL_F_TLS12_CHECK_PEER_SIGALG 333 # define SSL_F_TLS12_COPY_SIGALGS 533 # define SSL_F_TLS13_CHANGE_CIPHER_STATE 440 +# define SSL_F_TLS13_ENC 609 # define SSL_F_TLS13_FINAL_FINISH_MAC 605 # define SSL_F_TLS13_GENERATE_SECRET 591 # define SSL_F_TLS13_HKDF_EXPAND 561 diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 7f0fea5..f808512 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -378,7 +378,8 @@ int dtls1_check_timeout_num(SSL *s) if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) { /* fail the connection, enough alerts have been sent */ - SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM, SSL_R_READ_TIMEOUT_EXPIRED); + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS1_CHECK_TIMEOUT_NUM, + SSL_R_READ_TIMEOUT_EXPIRED); return -1; } @@ -397,8 +398,10 @@ int dtls1_handle_timeout(SSL *s) else dtls1_double_timeout(s); - if (dtls1_check_timeout_num(s) < 0) + if (dtls1_check_timeout_num(s) < 0) { + /* SSLfatal() already called */ return -1; + } s->d1->timeout.read_timeouts++; if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) { @@ -406,6 +409,7 @@ int dtls1_handle_timeout(SSL *s) } dtls1_start_timer(s); + /* Calls SSLfatal() if required */ return dtls1_retransmit_buffered_messages(s); } diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index e49bc0c..ddb3a61 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -148,7 +148,8 @@ int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) if (rdata == NULL || item == NULL) { OPENSSL_free(rdata); pitem_free(item); - SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_BUFFER_RECORD, + ERR_R_INTERNAL_ERROR); return -1; } @@ -175,7 +176,7 @@ int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) memset(&s->rlayer.rrec, 0, sizeof(s->rlayer.rrec)); if (!ssl3_setup_buffers(s)) { - SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ OPENSSL_free(rdata->rbuf.buf); OPENSSL_free(rdata); pitem_free(item); @@ -184,7 +185,8 @@ int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) /* insert should not fail, since duplicates are dropped */ if (pqueue_insert(queue->q, item) == NULL) { - SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_BUFFER_RECORD, + ERR_R_INTERNAL_ERROR); OPENSSL_free(rdata->rbuf.buf); OPENSSL_free(rdata); pitem_free(item); @@ -258,8 +260,9 @@ int dtls1_process_buffered_records(SSL *s) * current record is from a different epoch. But that cannot * be the case because we already checked the epoch above */ - SSLerr(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS, - ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS, + ERR_R_INTERNAL_ERROR); return 0; } #ifndef OPENSSL_NO_SCTP @@ -277,6 +280,10 @@ int dtls1_process_buffered_records(SSL *s) } if (!replayok || !dtls1_process_record(s, bitmap)) { + if (ossl_statem_in_error(s)) { + /* dtls1_process_record called SSLfatal() */ + return -1; + } /* dump this record */ rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); @@ -284,8 +291,10 @@ int dtls1_process_buffered_records(SSL *s) } if (dtls1_buffer_record(s, &(s->rlayer.d->processed_rcds), - SSL3_RECORD_get_seq_num(s->rlayer.rrec)) < 0) + SSL3_RECORD_get_seq_num(s->rlayer.rrec)) < 0) { + /* SSLfatal() already called */ return 0; + } } } @@ -331,21 +340,24 @@ int dtls1_process_buffered_records(SSL *s) int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, size_t len, int peek, size_t *readbytes) { - int al, i, j, iret; + int i, j, iret; size_t n; SSL3_RECORD *rr; void (*cb) (const SSL *ssl, int type2, int val) = NULL; if (!SSL3_BUFFER_is_initialised(&s->rlayer.rbuf)) { /* Not initialized yet */ - if (!ssl3_setup_buffers(s)) + if (!ssl3_setup_buffers(s)) { + /* SSLfatal() already called */ return -1; + } } if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE)) || (peek && (type != SSL3_RT_APPLICATION_DATA))) { - SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_READ_BYTES, + ERR_R_INTERNAL_ERROR); return -1; } @@ -353,12 +365,11 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, { /* type == SSL3_RT_APPLICATION_DATA */ i = s->handshake_func(s); + /* SSLfatal() already called if appropriate */ if (i < 0) return i; - if (i == 0) { - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); + if (i == 0) return -1; - } } start: @@ -410,7 +421,10 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, iret = dtls1_get_record(s); if (iret <= 0) { iret = dtls1_read_failed(s, iret); - /* anything other than a timeout is an error */ + /* + * Anything other than a timeout is an error. SSLfatal() already + * called if appropriate. + */ if (iret <= 0) return iret; else @@ -438,7 +452,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, */ if (dtls1_buffer_record(s, &(s->rlayer.d->buffered_app_data), SSL3_RECORD_get_seq_num(rr)) < 0) { - SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); + /* SSLfatal() already called */ return -1; } SSL3_RECORD_set_length(rr, 0); @@ -469,9 +483,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, */ if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && (s->enc_read_ctx == NULL)) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES, + SSL_R_APP_DATA_IN_HANDSHAKE); + return -1; } if (recvd_type != NULL) @@ -526,9 +540,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, || !PACKET_get_1(&alert, &alert_level) || !PACKET_get_1(&alert, &alert_descr) || PACKET_remaining(&alert) != 0) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_INVALID_ALERT); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES, + SSL_R_INVALID_ALERT); + return -1; } if (s->msg_callback) @@ -550,9 +564,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, s->rlayer.alert_count++; if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES, + SSL_R_TOO_MANY_WARN_ALERTS); + return -1; } if (alert_descr == SSL_AD_CLOSE_NOTIFY) { @@ -579,16 +593,17 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, s->rwstate = SSL_NOTHING; s->s3->fatal_alert = alert_descr; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); - BIO_snprintf(tmp, sizeof(tmp), "%d", alert_descr); + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS1_READ_BYTES, + SSL_AD_REASON_OFFSET + alert_descr); + BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr); ERR_add_error_data(2, "SSL alert number ", tmp); s->shutdown |= SSL_RECEIVED_SHUTDOWN; SSL_CTX_remove_session(s->session_ctx, s->session); return 0; } else { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS1_READ_BYTES, + SSL_R_UNKNOWN_ALERT_TYPE); + return -1; } goto start; @@ -634,8 +649,10 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * here, then retransmit our CCS and FINISHED. */ if (msg_hdr.type == SSL3_MT_FINISHED) { - if (dtls1_check_timeout_num(s) < 0) + if (dtls1_check_timeout_num(s) < 0) { + /* SSLfatal) already called */ return -1; + } if (dtls1_retransmit_buffered_messages(s) <= 0) { /* Fail if we encountered a fatal error */ @@ -653,21 +670,20 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * finished */ if (!ossl_assert(SSL_is_init_finished(s))) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_READ_BYTES, + ERR_R_INTERNAL_ERROR); + return -1; } /* We found handshake data, so we're going back into init */ ossl_statem_set_in_init(s, 1); i = s->handshake_func(s); + /* SSLfatal() called if appropriate */ if (i < 0) return i; - if (i == 0) { - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); + if (i == 0) return -1; - } if (!(s->mode & SSL_MODE_AUTO_RETRY)) { if (SSL3_BUFFER_get_left(&s->rlayer.rbuf) == 0) { @@ -691,9 +707,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, switch (SSL3_RECORD_get_type(rr)) { default: - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES, + SSL_R_UNEXPECTED_RECORD); + return -1; case SSL3_RT_CHANGE_CIPHER_SPEC: case SSL3_RT_ALERT: case SSL3_RT_HANDSHAKE: @@ -702,9 +718,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but * that should not happen when type != rr->type */ - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES, + ERR_R_INTERNAL_ERROR); + return -1; case SSL3_RT_APPLICATION_DATA: /* * At this point, we were expecting handshake data, but have @@ -719,16 +735,12 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, s->s3->in_read_app_data = 2; return -1; } else { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS1_READ_BYTES, + SSL_R_UNEXPECTED_RECORD); + return -1; } } /* not reached */ - - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return -1; } /* @@ -741,7 +753,8 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf, size_t len, int i; if (!ossl_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH)) { - SSLerr(SSL_F_DTLS1_WRITE_BYTES, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_WRITE_BYTES, + ERR_R_INTERNAL_ERROR); return -1; } s->rwstate = SSL_NOTHING; @@ -767,7 +780,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, * will happen with non blocking IO */ if (!ossl_assert(SSL3_BUFFER_get_left(wb) == 0)) { - SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, + ERR_R_INTERNAL_ERROR); return 0; } @@ -783,7 +797,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, return 0; if (len > ssl_get_max_send_fragment(s)) { - SSLerr(SSL_F_DO_DTLS1_WRITE, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, + SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE); return 0; } @@ -797,8 +812,11 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, mac_size = 0; else { mac_size = EVP_MD_CTX_size(s->write_hash); - if (mac_size < 0) - goto err; + if (mac_size < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, + SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE); + return -1; + } } p = SSL3_BUFFER_get_buf(wb) + prefix_len; @@ -855,8 +873,9 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, /* first we compress */ if (s->compress != NULL) { if (!ssl3_do_compress(s, &wr)) { - SSLerr(SSL_F_DO_DTLS1_WRITE, SSL_R_COMPRESSION_FAILURE); - goto err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, + SSL_R_COMPRESSION_FAILURE); + return -1; } } else { memcpy(SSL3_RECORD_get_data(&wr), SSL3_RECORD_get_input(&wr), @@ -873,8 +892,11 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, if (!SSL_WRITE_ETM(s) && mac_size != 0) { if (!s->method->ssl3_enc->mac(s, &wr, &(p[SSL3_RECORD_get_length(&wr) + eivlen]), - 1)) - goto err; + 1)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, + ERR_R_INTERNAL_ERROR); + return -1; + } SSL3_RECORD_add_length(&wr, mac_size); } @@ -885,13 +907,21 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, if (eivlen) SSL3_RECORD_add_length(&wr, eivlen); - if (s->method->ssl3_enc->enc(s, &wr, 1, 1) < 1) - goto err; + if (s->method->ssl3_enc->enc(s, &wr, 1, 1) < 1) { + if (!ossl_statem_in_error(s)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, + ERR_R_INTERNAL_ERROR); + } + return -1; + } if (SSL_WRITE_ETM(s) && mac_size != 0) { if (!s->method->ssl3_enc->mac(s, &wr, - &(p[SSL3_RECORD_get_length(&wr)]), 1)) - goto err; + &(p[SSL3_RECORD_get_length(&wr)]), 1)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE, + ERR_R_INTERNAL_ERROR); + return -1; + } SSL3_RECORD_add_length(&wr, mac_size); } @@ -940,10 +970,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, s->rlayer.wpend_type = type; s->rlayer.wpend_ret = len; - /* we now just need to write the buffer */ + /* we now just need to write the buffer. Calls SSLfatal() as required. */ return ssl3_write_pending(s, type, buf, len, written); - err: - return -1; } DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index baae0de..5f01b04 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -187,8 +187,10 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, rb = &s->rlayer.rbuf; if (rb->buf == NULL) - if (!ssl3_setup_read_buffer(s)) + if (!ssl3_setup_read_buffer(s)) { + /* SSLfatal() already called */ return -1; + } left = rb->left; #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 @@ -259,8 +261,10 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, /* else we need to read more data */ - if (n > rb->len - rb->offset) { /* does not happen */ - SSLerr(SSL_F_SSL3_READ_N, ERR_R_INTERNAL_ERROR); + if (n > rb->len - rb->offset) { + /* does not happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N, + ERR_R_INTERNAL_ERROR); return -1; } @@ -293,7 +297,8 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, if (ret >= 0) bioread = ret; } else { - SSLerr(SSL_F_SSL3_READ_N, SSL_R_READ_BIO_NOT_SET); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N, + SSL_R_READ_BIO_NOT_SET); ret = -1; } @@ -355,13 +360,16 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, */ if ((len < s->rlayer.wnum) || ((wb->left != 0) && (len < (s->rlayer.wnum + s->rlayer.wpend_tot)))) { - SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES, + SSL_R_BAD_LENGTH); return -1; } if (s->early_data_state == SSL_EARLY_DATA_WRITING - && !early_data_count_ok(s, len, 0, NULL)) + && !early_data_count_ok(s, len, 0, 1)) { + /* SSLfatal() already called */ return -1; + } s->rlayer.wnum = 0; @@ -373,10 +381,10 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, if (SSL_in_init(s) && !ossl_statem_get_in_handshake(s) && s->early_data_state != SSL_EARLY_DATA_UNAUTH_WRITING) { i = s->handshake_func(s); + /* SSLfatal() already called */ if (i < 0) return i; if (i == 0) { - SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); return -1; } } @@ -386,6 +394,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, * will happen with non blocking IO */ if (wb->left != 0) { + /* SSLfatal() already called if appropriate */ i = ssl3_write_pending(s, type, &buf[tot], s->rlayer.wpend_tot, &tmpwrit); if (i <= 0) { @@ -430,7 +439,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, packlen *= 4; if (!ssl3_setup_write_buffer(s, 1, packlen)) { - SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_MALLOC_FAILURE); + /* SSLfatal() already called */ return -1; } } else if (tot == len) { /* done? */ @@ -451,6 +460,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, if (s->s3->alert_dispatch) { i = s->method->ssl_dispatch_alert(s); if (i <= 0) { + /* SSLfatal() already called if appropriate */ s->rlayer.wnum = tot; return i; } @@ -506,6 +516,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, i = ssl3_write_pending(s, type, &buf[tot], nw, &tmpwrit); if (i <= 0) { + /* SSLfatal() already called if appropriate */ if (i < 0 && (!s->wbio || !BIO_should_retry(s->wbio))) { /* free jumbo buffer */ ssl3_release_write_buffer(s); @@ -548,7 +559,8 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, * We should have prevented this when we set max_pipelines so we * shouldn't get here */ - SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES, + ERR_R_INTERNAL_ERROR); return -1; } if (maxpipes == 0 @@ -563,7 +575,8 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, * We should have prevented this when we set/get the split and max send * fragments so we shouldn't get here */ - SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES, + ERR_R_INTERNAL_ERROR); return -1; } @@ -600,6 +613,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, i = do_ssl3_write(s, type, &(buf[tot]), pipelens, numpipes, 0, &tmpwrit); if (i <= 0) { + /* SSLfatal() already called if appropriate */ /* XXX should we ssl3_release_write_buffer if i<0? */ s->rlayer.wnum = tot; return i; @@ -651,20 +665,27 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, * first check if there is a SSL3_BUFFER still being written out. This * will happen with non blocking IO */ - if (RECORD_LAYER_write_pending(&s->rlayer)) + if (RECORD_LAYER_write_pending(&s->rlayer)) { + /* Calls SSLfatal() as required */ return ssl3_write_pending(s, type, buf, totlen, written); + } /* If we have an alert to send, lets send it */ if (s->s3->alert_dispatch) { i = s->method->ssl_dispatch_alert(s); - if (i <= 0) + if (i <= 0) { + /* SSLfatal() already called if appropriate */ return i; + } /* if it went, fall through and send more stuff */ } - if (s->rlayer.numwpipes < numpipes) - if (!ssl3_setup_write_buffer(s, numpipes, 0)) + if (s->rlayer.numwpipes < numpipes) { + if (!ssl3_setup_write_buffer(s, numpipes, 0)) { + /* SSLfatal() already called */ return -1; + } + } if (totlen == 0 && !create_empty_fragment) return 0; @@ -678,8 +699,11 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, } else { /* TODO(siz_t): Convert me */ mac_size = EVP_MD_CTX_size(s->write_hash); - if (mac_size < 0) + if (mac_size < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; + } } /* @@ -702,13 +726,16 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, int ret; ret = do_ssl3_write(s, type, buf, &tmppipelen, 1, 1, &prefix_len); - if (ret <= 0) + if (ret <= 0) { + /* SSLfatal() already called if appropriate */ goto err; + } if (prefix_len > (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) { /* insufficient space */ - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } } @@ -731,7 +758,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, if (!WPACKET_init_static_len(&pkt[0], SSL3_BUFFER_get_buf(wb), SSL3_BUFFER_get_len(wb), 0) || !WPACKET_allocate_bytes(&pkt[0], align, NULL)) { - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } wpinited = 1; @@ -742,7 +770,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, SSL3_BUFFER_get_len(wb), 0) || !WPACKET_allocate_bytes(&pkt[0], SSL3_BUFFER_get_offset(wb) + prefix_len, NULL)) { - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } wpinited = 1; @@ -759,7 +788,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, if (!WPACKET_init_static_len(thispkt, SSL3_BUFFER_get_buf(wb), SSL3_BUFFER_get_len(wb), 0) || !WPACKET_allocate_bytes(thispkt, align, NULL)) { - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } wpinited++; @@ -824,7 +854,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, || (maxcomplen > 0 && !WPACKET_reserve_bytes(thispkt, maxcomplen, &compressdata))) { - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } @@ -843,12 +874,14 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, if (s->compress != NULL) { if (!ssl3_do_compress(s, thiswr) || !WPACKET_allocate_bytes(thispkt, thiswr->length, NULL)) { - SSLerr(SSL_F_DO_SSL3_WRITE, SSL_R_COMPRESSION_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + SSL_R_COMPRESSION_FAILURE); goto err; } } else { if (!WPACKET_memcpy(thispkt, thiswr->input, thiswr->length)) { - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } SSL3_RECORD_reset_input(&wr[j]); @@ -858,7 +891,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, size_t rlen, max_send_fragment; if (!WPACKET_put_bytes_u8(thispkt, type)) { - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } SSL3_RECORD_add_length(thiswr, 1); @@ -891,7 +925,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, if (padding > max_padding) padding = max_padding; if (!WPACKET_memset(thispkt, 0, padding)) { - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } SSL3_RECORD_add_length(thiswr, padding); @@ -910,7 +945,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) || !s->method->ssl3_enc->mac(s, thiswr, mac, 1)) { - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } } @@ -927,7 +963,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, * sub-packet */ || !WPACKET_get_length(thispkt, &len)) { - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } @@ -945,11 +982,21 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, * We haven't actually negotiated the version yet, but we're trying to * send early data - so we need to use the tls13enc function. */ - if (tls13_enc(s, wr, numpipes, 1) < 1) + if (tls13_enc(s, wr, numpipes, 1) < 1) { + if (!ossl_statem_in_error(s)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); + } goto err; + } } else { - if (s->method->ssl3_enc->enc(s, wr, numpipes, 1) < 1) + if (s->method->ssl3_enc->enc(s, wr, numpipes, 1) < 1) { + if (!ossl_statem_in_error(s)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); + } goto err; + } } for (j = 0; j < numpipes; j++) { @@ -965,7 +1012,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, || (thiswr->length > origlen && !WPACKET_allocate_bytes(thispkt, thiswr->length - origlen, NULL))) { - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } if (SSL_WRITE_ETM(s) && mac_size != 0) { @@ -973,7 +1021,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) || !s->method->ssl3_enc->mac(s, thiswr, mac, 1)) { - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } SSL3_RECORD_add_length(thiswr, mac_size); @@ -981,7 +1030,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, if (!WPACKET_get_length(thispkt, &len) || !WPACKET_close(thispkt)) { - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } @@ -1001,7 +1051,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, } if (!WPACKET_finish(thispkt)) { - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } @@ -1020,7 +1071,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, */ if (j > 0) { /* We should never be pipelining an empty fragment!! */ - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, + ERR_R_INTERNAL_ERROR); goto err; } *written = SSL3_RECORD_get_length(thiswr); @@ -1065,7 +1117,8 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len, || ((s->rlayer.wpend_buf != buf) && !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) || (s->rlayer.wpend_type != type)) { - SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BAD_WRITE_RETRY); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_PENDING, + SSL_R_BAD_WRITE_RETRY); return -1; } @@ -1087,7 +1140,8 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len, if (i >= 0) tmpwrit = i; } else { - SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BIO_NOT_SET); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_PENDING, + SSL_R_BIO_NOT_SET); i = -1; } if (i > 0 && tmpwrit == SSL3_BUFFER_get_left(&wb[currbuf])) { @@ -1145,7 +1199,7 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len, int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, size_t len, int peek, size_t *readbytes) { - int al, i, j, ret; + int i, j, ret; size_t n, curr_rec, num_recs, totalbytes; SSL3_RECORD *rr; SSL3_BUFFER *rbuf; @@ -1155,15 +1209,18 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, if (!SSL3_BUFFER_is_initialised(rbuf)) { /* Not initialized yet */ - if (!ssl3_setup_read_buffer(s)) + if (!ssl3_setup_read_buffer(s)) { + /* SSLfatal() already called */ return -1; + } } if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE)) || (peek && (type != SSL3_RT_APPLICATION_DATA))) { - SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_BYTES, + ERR_R_INTERNAL_ERROR); return -1; } @@ -1200,12 +1257,11 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, if (!ossl_statem_get_in_handshake(s) && SSL_in_init(s)) { /* type == SSL3_RT_APPLICATION_DATA */ i = s->handshake_func(s); + /* SSLfatal() already called */ if (i < 0) return i; - if (i == 0) { - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); + if (i == 0) return -1; - } } start: s->rwstate = SSL_NOTHING; @@ -1224,14 +1280,16 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, /* get new records if necessary */ if (num_recs == 0) { ret = ssl3_get_record(s); - if (ret <= 0) + if (ret <= 0) { + /* SSLfatal() already called if appropriate */ return ret; + } num_recs = RECORD_LAYER_get_numrpipes(&s->rlayer); if (num_recs == 0) { /* Shouldn't happen */ - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_BYTES, + ERR_R_INTERNAL_ERROR); + return -1; } } /* Skip over any records we have already read */ @@ -1259,9 +1317,9 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, * reset by ssl3_get_finished */ && (SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE)) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); + return -1; } /* @@ -1289,17 +1347,17 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, */ if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && (s->enc_read_ctx == NULL)) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_APP_DATA_IN_HANDSHAKE); + return -1; } if (type == SSL3_RT_HANDSHAKE && SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC && s->rlayer.handshake_fragment_len > 0) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_CCS_RECEIVED_EARLY); + return -1; } if (recvd_type != NULL) @@ -1374,9 +1432,9 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * initial ClientHello. Therefore |type| should always be equal to * |rr->type|. If not then something has gone horribly wrong */ - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_BYTES, + ERR_R_INTERNAL_ERROR); + return -1; } if (s->method->version == TLS_ANY_VERSION @@ -1388,9 +1446,9 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * other than a ClientHello if we are a server. */ s->version = rr->rec_version; - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_MESSAGE); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_UNEXPECTED_MESSAGE); + return -1; } /* @@ -1463,9 +1521,9 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, || !PACKET_get_1(&alert, &alert_level) || !PACKET_get_1(&alert, &alert_descr) || PACKET_remaining(&alert) != 0) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INVALID_ALERT); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_INVALID_ALERT); + return -1; } if (s->msg_callback) @@ -1488,9 +1546,9 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, s->rlayer.alert_count++; if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_TOO_MANY_WARN_ALERTS); + return -1; } if (alert_descr == SSL_AD_CLOSE_NOTIFY) { @@ -1502,9 +1560,9 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * is user_cancelled - which we just ignore. */ if (SSL_IS_TLS13(s) && alert_descr != SSL_AD_USER_CANCELLED) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL3_READ_BYTES, + SSL_R_UNKNOWN_ALERT_TYPE); + return -1; } /* * This is a warning but we receive it if we requested @@ -1515,26 +1573,27 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * the peer refused it where we carry on. */ if (alert_descr == SSL_AD_NO_RENEGOTIATION) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_NO_RENEGOTIATION); - goto f_err; + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_SSL3_READ_BYTES, + SSL_R_NO_RENEGOTIATION); + return -1; } } else if (alert_level == SSL3_AL_FATAL) { char tmp[16]; s->rwstate = SSL_NOTHING; s->s3->fatal_alert = alert_descr; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); - BIO_snprintf(tmp, sizeof(tmp), "%d", alert_descr); + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_READ_BYTES, + SSL_AD_REASON_OFFSET + alert_descr); + BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr); ERR_add_error_data(2, "SSL alert number ", tmp); s->shutdown |= SSL_RECEIVED_SHUTDOWN; SSL3_RECORD_set_read(rr); SSL_CTX_remove_session(s->session_ctx, s->session); return 0; } else { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SSL3_READ_BYTES, + SSL_R_UNKNOWN_ALERT_TYPE); + return -1; } goto start; @@ -1549,9 +1608,9 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, } if (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_CCS_RECEIVED_EARLY); + return -1; } /* @@ -1566,10 +1625,10 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, ossl_statem_set_in_init(s, 1); i = s->handshake_func(s); + /* SSLfatal() already called if appropriate */ if (i < 0) return i; if (i == 0) { - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); return -1; } @@ -1610,9 +1669,9 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * no progress is being made and the peer continually sends unrecognised * record types, using up resources processing them. */ - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_UNEXPECTED_RECORD); + return -1; case SSL3_RT_CHANGE_CIPHER_SPEC: case SSL3_RT_ALERT: case SSL3_RT_HANDSHAKE: @@ -1621,9 +1680,9 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but * that should not happen when type != rr->type */ - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + ERR_R_INTERNAL_ERROR); + return -1; case SSL3_RT_APPLICATION_DATA: /* * At this point, we were expecting handshake data, but have @@ -1646,21 +1705,18 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * record. */ if (!early_data_count_ok(s, rr->length, - EARLY_DATA_CIPHERTEXT_OVERHEAD, &al)) - goto f_err; + EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { + /* SSLfatal() already called */ + return -1; + } SSL3_RECORD_set_read(rr); goto start; } else { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_UNEXPECTED_RECORD); + return -1; } } - /* not reached */ - - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return -1; } void ssl3_record_sequence_update(unsigned char *seq) diff --git a/ssl/record/record_locl.h b/ssl/record/record_locl.h index fefb0df..c20f5fe 100644 --- a/ssl/record/record_locl.h +++ b/ssl/record/record_locl.h @@ -114,4 +114,4 @@ __owur int tls1_cbc_remove_padding(const SSL *s, size_t block_size, size_t mac_size); int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap); __owur int dtls1_get_record(SSL *s); -int early_data_count_ok(SSL *s, size_t length, size_t overhead, int *al); +int early_data_count_ok(SSL *s, size_t length, size_t overhead, int send); diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c index 6d3a232..53bd4cb 100644 --- a/ssl/record/ssl3_buffer.c +++ b/ssl/record/ssl3_buffer.c @@ -60,18 +60,22 @@ int ssl3_setup_read_buffer(SSL *s) #endif if (b->default_len > len) len = b->default_len; - if ((p = OPENSSL_malloc(len)) == NULL) - goto err; + if ((p = OPENSSL_malloc(len)) == NULL) { + /* + * We've got a malloc failure, and we're still initialising buffers. + * We assume we're so doomed that we won't even be able to send an + * alert. + */ + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_SETUP_READ_BUFFER, + ERR_R_MALLOC_FAILURE); + return 0; + } b->buf = p; b->len = len; } RECORD_LAYER_set_packet(&s->rlayer, &(b->buf[0])); return 1; - - err: - SSLerr(SSL_F_SSL3_SETUP_READ_BUFFER, ERR_R_MALLOC_FAILURE); - return 0; } int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len) @@ -116,7 +120,12 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len) p = OPENSSL_malloc(len); if (p == NULL) { s->rlayer.numwpipes = currpipe; - SSLfatal(s, SSL_AD_INTERNAL_ERROR, + /* + * We've got a malloc failure, and we're still initialising + * buffers. We assume we're so doomed that we won't even be able + * to send an alert. + */ + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_SETUP_WRITE_BUFFER, ERR_R_MALLOC_FAILURE); return 0; } @@ -131,8 +140,10 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len) int ssl3_setup_buffers(SSL *s) { - if (!ssl3_setup_read_buffer(s)) + if (!ssl3_setup_read_buffer(s)) { + /* SSLfatal() already called */ return 0; + } if (!ssl3_setup_write_buffer(s, 1, 0)) { /* SSLfatal() already called */ return 0; diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 28a706f..213f001 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -101,7 +101,7 @@ static int ssl3_record_app_data_waiting(SSL *s) return 1; } -int early_data_count_ok(SSL *s, size_t length, size_t overhead, int *al) +int early_data_count_ok(SSL *s, size_t length, size_t overhead, int send) { uint32_t max_early_data = s->max_early_data; SSL_SESSION *sess = s->session; @@ -114,7 +114,8 @@ int early_data_count_ok(SSL *s, size_t length, size_t overhead, int *al) if (!s->server && sess->ext.max_early_data == 0) { if (!ossl_assert(s->psksession != NULL && s->psksession->ext.max_early_data > 0)) { - SSLerr(SSL_F_EARLY_DATA_COUNT_OK, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_EARLY_DATA_COUNT_OK, + ERR_R_INTERNAL_ERROR); return 0; } sess = s->psksession; @@ -124,9 +125,8 @@ int early_data_count_ok(SSL *s, size_t length, size_t overhead, int *al) max_early_data = sess->ext.max_early_data; if (max_early_data == 0) { - if (al != NULL) - *al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); + SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); return 0; } @@ -134,9 +134,8 @@ int early_data_count_ok(SSL *s, size_t length, size_t overhead, int *al) max_early_data += overhead; if (s->early_data_count + length > max_early_data) { - if (al != NULL) - *al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); + SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA); return 0; } s->early_data_count += length; @@ -168,8 +167,7 @@ int early_data_count_ok(SSL *s, size_t length, size_t overhead, int *al) /* used only by ssl3_read_bytes */ int ssl3_get_record(SSL *s) { - int al; - int enc_err, rret, ret = -1; + int enc_err, rret; int i; size_t more, n; SSL3_RECORD *rr, *thisrr; @@ -211,16 +209,16 @@ int ssl3_get_record(SSL *s) p = RECORD_LAYER_get_packet(&s->rlayer); if (!PACKET_buf_init(&pkt, RECORD_LAYER_get_packet(&s->rlayer), RECORD_LAYER_get_packet_length(&s->rlayer))) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; } sslv2pkt = pkt; if (!PACKET_get_net_2_len(&sslv2pkt, &sslv2len) || !PACKET_get_1(&sslv2pkt, &type)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; } /* * The first record received by the server may be a V2ClientHello. @@ -244,15 +242,15 @@ int ssl3_get_record(SSL *s) if (thisrr->length > SSL3_BUFFER_get_len(rbuf) - SSL2_RT_HEADER_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_PACKET_LENGTH_TOO_LONG); + return -1; } if (thisrr->length < MIN_SSL2_RECORD_LEN) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return -1; } } else { /* SSLv3+ style record */ @@ -264,9 +262,9 @@ int ssl3_get_record(SSL *s) if (!PACKET_get_1(&pkt, &type) || !PACKET_get_net_2(&pkt, &version) || !PACKET_get_net_2_len(&pkt, &thisrr->length)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; } thisrr->type = type; thisrr->rec_version = version; @@ -280,7 +278,6 @@ int ssl3_get_record(SSL *s) if (!s->first_packet && !SSL_IS_TLS13(s) && !s->hello_retry_request && version != (unsigned int)s->version) { - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER); if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash) { if (thisrr->type == SSL3_RT_ALERT) { @@ -292,15 +289,18 @@ int ssl3_get_record(SSL *s) * shouldn't send a fatal alert back. We'll just * end. */ - goto err; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; } /* * Send back error using their minor version number :-) */ s->version = (unsigned short)version; } - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; } if ((version >> 8) != SSL3_VERSION_MAJOR) { @@ -312,38 +312,39 @@ int ssl3_get_record(SSL *s) strncmp((char *)p, "POST ", 5) == 0 || strncmp((char *)p, "HEAD ", 5) == 0 || strncmp((char *)p, "PUT ", 4) == 0) { - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST); - goto err; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, + SSL_R_HTTP_REQUEST); + return -1; } else if (strncmp((char *)p, "CONNE", 5) == 0) { - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_HTTPS_PROXY_REQUEST); - goto err; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, + SSL_R_HTTPS_PROXY_REQUEST); + return -1; } /* Doesn't look like TLS - don't send an alert */ - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_WRONG_VERSION_NUMBER); - goto err; + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; } else { - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_WRONG_VERSION_NUMBER); - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + return -1; } } if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL && thisrr->type != SSL3_RT_APPLICATION_DATA) { - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); - al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, + SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); + return -1; } if (thisrr->length > SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_PACKET_LENGTH_TOO_LONG); + return -1; } } @@ -352,9 +353,9 @@ int ssl3_get_record(SSL *s) if (SSL_IS_TLS13(s)) { if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + return -1; } } else { size_t len = SSL3_RT_MAX_ENCRYPTED_LENGTH; @@ -369,9 +370,9 @@ int ssl3_get_record(SSL *s) #endif if (thisrr->length > len) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + return -1; } } @@ -452,27 +453,26 @@ int ssl3_get_record(SSL *s) /* TODO(size_t): convert this to do size_t properly */ imac_size = EVP_MD_CTX_size(s->read_hash); if (!ossl_assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_LIB_EVP); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_LIB_EVP); + return -1; } mac_size = (size_t)imac_size; for (j = 0; j < num_recs; j++) { thisrr = &rr[j]; if (thisrr->length < mac_size) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return -1; } thisrr->length -= mac_size; mac = thisrr->data + thisrr->length; i = s->method->ssl3_enc->mac(s, thisrr, md, 0 /* not send */ ); if (i == 0 || CRYPTO_memcmp(md, mac, mac_size) != 0) { - al = SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_SSL3_GET_RECORD, + SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); - goto f_err; + return -1; } } } @@ -488,6 +488,10 @@ int ssl3_get_record(SSL *s) * -1: if the padding is invalid */ if (enc_err == 0) { + if (ossl_statem_in_error(s)) { + /* SSLfatal() already got called */ + return -1; + } if (num_recs == 1 && ossl_statem_skip_early_data(s)) { /* * Valid early_data that we cannot decrypt might fail here as @@ -497,8 +501,10 @@ int ssl3_get_record(SSL *s) thisrr = &rr[0]; if (!early_data_count_ok(s, thisrr->length, - EARLY_DATA_CIPHERTEXT_OVERHEAD, &al)) - goto f_err; + EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { + /* SSLfatal() already called */ + return -1; + } thisrr->length = 0; thisrr->read = 1; @@ -506,9 +512,9 @@ int ssl3_get_record(SSL *s) RECORD_LAYER_reset_read_sequence(&s->rlayer); return 1; } - al = SSL_AD_DECRYPTION_FAILED; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); - goto f_err; + SSLfatal(s, SSL_AD_DECRYPTION_FAILED, SSL_F_SSL3_GET_RECORD, + SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); + return -1; } #ifdef SSL_DEBUG printf("dec %"OSSLzu"\n", rr[0].length); @@ -530,9 +536,9 @@ int ssl3_get_record(SSL *s) mac_size = EVP_MD_CTX_size(s->read_hash); if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; } for (j = 0; j < num_recs; j++) { @@ -547,9 +553,9 @@ int ssl3_get_record(SSL *s) /* CBC records must have a padding length byte too. */ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && thisrr->orig_len < mac_size + 1)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_GET_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return -1; } if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { @@ -561,9 +567,9 @@ int ssl3_get_record(SSL *s) */ mac = mac_tmp; if (!ssl3_cbc_copy_mac(mac_tmp, thisrr, mac_size)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GET_RECORD, + ERR_R_INTERNAL_ERROR); + return -1; } thisrr->length -= mac_size; } else { @@ -586,6 +592,10 @@ int ssl3_get_record(SSL *s) } if (enc_err < 0) { + if (ossl_statem_in_error(s)) { + /* We already called SSLfatal() */ + return -1; + } if (num_recs == 1 && ossl_statem_skip_early_data(s)) { /* * We assume this is unreadable early_data - we treat it like an @@ -597,8 +607,10 @@ int ssl3_get_record(SSL *s) * so we use the previously saved value */ if (!early_data_count_ok(s, first_rec_len, - EARLY_DATA_CIPHERTEXT_OVERHEAD, &al)) - goto f_err; + EARLY_DATA_CIPHERTEXT_OVERHEAD, 0)) { + /* SSLfatal() already called */ + return -1; + } thisrr = &rr[0]; thisrr->length = 0; @@ -614,10 +626,9 @@ int ssl3_get_record(SSL *s) * not reveal which kind of error occurred -- this might become * visible to an attacker (e.g. via a logfile) */ - al = SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_SSL3_GET_RECORD, - SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); - goto f_err; + SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD, + SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); + return -1; } for (j = 0; j < num_recs; j++) { @@ -626,14 +637,14 @@ int ssl3_get_record(SSL *s) /* thisrr->length is now just compressed */ if (s->expand != NULL) { if (thisrr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_COMPRESSED_LENGTH_TOO_LONG); + return -1; } if (!ssl3_do_uncompress(s, thisrr)) { - al = SSL_AD_DECOMPRESSION_FAILURE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_DECOMPRESSION); - goto f_err; + SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, SSL_F_SSL3_GET_RECORD, + SSL_R_BAD_DECOMPRESSION); + return -1; } } @@ -642,9 +653,9 @@ int ssl3_get_record(SSL *s) if (thisrr->length == 0 || thisrr->type != SSL3_RT_APPLICATION_DATA) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_BAD_RECORD_TYPE); + return -1; } /* Strip trailing padding */ @@ -657,9 +668,9 @@ int ssl3_get_record(SSL *s) if (thisrr->type != SSL3_RT_APPLICATION_DATA && thisrr->type != SSL3_RT_ALERT && thisrr->type != SSL3_RT_HANDSHAKE) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_BAD_RECORD_TYPE); + return -1; } if (s->msg_callback) s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE, @@ -674,23 +685,23 @@ int ssl3_get_record(SSL *s) && (thisrr->type == SSL3_RT_HANDSHAKE || thisrr->type == SSL3_RT_ALERT) && thisrr->length == 0) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_LENGTH); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_BAD_LENGTH); + return -1; } if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_DATA_LENGTH_TOO_LONG); + return -1; } /* If received packet overflows current Max Fragment Length setting */ if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, + SSL_R_DATA_LENGTH_TOO_LONG); + return -1; } thisrr->off = 0; @@ -707,9 +718,9 @@ int ssl3_get_record(SSL *s) RECORD_LAYER_inc_empty_record_count(&s->rlayer); if (RECORD_LAYER_get_empty_record_count(&s->rlayer) > MAX_EMPTY_RECORDS) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_RECORD_TOO_SMALL); - goto f_err; + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, + SSL_R_RECORD_TOO_SMALL); + return -1; } } else { RECORD_LAYER_reset_empty_record_count(&s->rlayer); @@ -719,17 +730,14 @@ int ssl3_get_record(SSL *s) if (s->early_data_state == SSL_EARLY_DATA_READING) { thisrr = &rr[0]; if (thisrr->type == SSL3_RT_APPLICATION_DATA - && !early_data_count_ok(s, thisrr->length, 0, &al)) - goto f_err; + && !early_data_count_ok(s, thisrr->length, 0, 0)) { + /* SSLfatal already called */ + return -1; + } } RECORD_LAYER_set_numrpipes(&s->rlayer, num_recs); return 1; - - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - err: - return ret; } int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr) @@ -776,7 +784,8 @@ int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr) } /*- - * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs| + * ssl3_enc encrypts/decrypts |n_recs| records in |inrecs|. Will call + * SSLfatal() for internal errors, but not otherwise. * * Returns: * 0: (in non-constant time) if the record is publically invalid (i.e. too @@ -851,8 +860,11 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending) if (EVP_MD_CTX_md(s->read_hash) != NULL) { /* TODO(size_t): convert me */ imac_size = EVP_MD_CTX_size(s->read_hash); - if (imac_size < 0) + if (imac_size < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } mac_size = (size_t)imac_size; } if ((bs != 1) && !sending) @@ -863,7 +875,8 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending) #define MAX_PADDING 256 /*- - * tls1_enc encrypts/decrypts |n_recs| in |recs|. + * tls1_enc encrypts/decrypts |n_recs| in |recs|. Will call SSLfatal() for + * internal errors, but not otherwise. * * Returns: * 0: (in non-constant time) if the record is publically invalid (i.e. too @@ -883,14 +896,18 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) int imac_size; const EVP_CIPHER *enc; - if (n_recs == 0) + if (n_recs == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return 0; + } if (sending) { if (EVP_MD_CTX_md(s->write_hash)) { int n = EVP_MD_CTX_size(s->write_hash); if (!ossl_assert(n >= 0)) { - SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; } } @@ -913,10 +930,12 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) * we can't write into the input stream: Can this ever * happen?? (steve) */ - SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; } else if (ssl_randbytes(s, recs[ctr].input, ivlen) <= 0) { - SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; } } @@ -926,7 +945,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) if (EVP_MD_CTX_md(s->read_hash)) { int n = EVP_MD_CTX_size(s->read_hash); if (!ossl_assert(n >= 0)) { - SSLerr(SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; } } @@ -953,7 +973,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) * We shouldn't have been called with pipeline data if the * cipher doesn't support pipelining */ - SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + SSL_R_PIPELINE_FAILURE); return -1; } } @@ -991,8 +1012,11 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) buf[ctr][12] = (unsigned char)(recs[ctr].length & 0xff); pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, EVP_AEAD_TLS1_AAD_LEN, buf[ctr]); - if (pad <= 0) + if (pad <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } if (sending) { reclen[ctr] += pad; @@ -1004,8 +1028,11 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) /* Add weird padding of upto 256 bytes */ - if (padnum > MAX_PADDING) + if (padnum > MAX_PADDING) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } /* we need to add 'padnum' padding bytes of value padval */ padval = (unsigned char)(padnum - 1); for (loop = reclen[ctr]; loop < reclen[ctr] + padnum; loop++) @@ -1028,7 +1055,9 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) } if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS, (int)n_recs, data) <= 0) { - SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + SSL_R_PIPELINE_FAILURE); + return -1; } /* Set the input buffers */ for (ctr = 0; ctr < n_recs; ctr++) { @@ -1038,7 +1067,8 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) (int)n_recs, data) <= 0 || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS, (int)n_recs, reclen) <= 0) { - SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + SSL_R_PIPELINE_FAILURE); return -1; } } @@ -1051,6 +1081,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) ? (tmpr < 0) : (tmpr == 0)) return -1; /* AEAD can fail to verify MAC */ + if (sending == 0) { if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) { for (ctr = 0; ctr < n_recs; ctr++) { @@ -1070,8 +1101,11 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) ret = 1; if (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL) { imac_size = EVP_MD_CTX_size(s->read_hash); - if (imac_size < 0) + if (imac_size < 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } mac_size = (size_t)imac_size; } if ((bs != 1) && !sending) { @@ -1518,7 +1552,7 @@ int ssl3_cbc_copy_mac(unsigned char *out, int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) { - int i, al; + int i; int enc_err; SSL_SESSION *sess; SSL3_RECORD *rr; @@ -1549,9 +1583,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* check is not needed I believe */ if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + return 0; } /* decrypt in place in 'rr->input' */ @@ -1562,23 +1596,22 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) unsigned char *mac; mac_size = EVP_MD_CTX_size(s->read_hash); if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + ERR_R_INTERNAL_ERROR); + return 0; } if (rr->orig_len < mac_size) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return 0; } rr->length -= mac_size; mac = rr->data + rr->length; i = s->method->ssl3_enc->mac(s, rr, md, 0 /* not send */ ); if (i == 0 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) { - al = SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, + SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); - goto f_err; + return 0; } } @@ -1590,10 +1623,14 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) * -1: if the padding is invalid */ if (enc_err == 0) { + if (ossl_statem_in_error(s)) { + /* SSLfatal() got called */ + return 0; + } /* For DTLS we simply ignore bad packets. */ rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); - goto err; + return 0; } #ifdef SSL_DEBUG printf("dec %ld\n", rr->length); @@ -1615,15 +1652,15 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* TODO(size_t): Convert this to do size_t properly */ imac_size = EVP_MD_CTX_size(s->read_hash); if (imac_size < 0) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_LIB_EVP); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + ERR_LIB_EVP); + return 0; } mac_size = (size_t)imac_size; if (!ossl_assert(mac_size <= EVP_MAX_MD_SIZE)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + ERR_R_INTERNAL_ERROR); + return 0; } /* @@ -1636,9 +1673,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* CBC records must have a padding length byte too. */ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && rr->orig_len < mac_size + 1)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT); - goto f_err; + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_LENGTH_TOO_SHORT); + return 0; } if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { @@ -1650,9 +1687,9 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) */ mac = mac_tmp; if (!ssl3_cbc_copy_mac(mac_tmp, rr, mac_size)) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, ERR_R_INTERNAL_ERROR); - goto f_err; + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PROCESS_RECORD, + ERR_R_INTERNAL_ERROR); + return 0; } rr->length -= mac_size; } else { @@ -1677,28 +1714,27 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) /* decryption failed, silently discard message */ rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); - goto err; + return 0; } /* r->length is now just compressed */ if (s->expand != NULL) { if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, - SSL_R_COMPRESSED_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_COMPRESSED_LENGTH_TOO_LONG); + return 0; } if (!ssl3_do_uncompress(s, rr)) { - al = SSL_AD_DECOMPRESSION_FAILURE; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION); - goto f_err; + SSLfatal(s, SSL_AD_DECOMPRESSION_FAILURE, + SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION); + return 0; } } if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { - al = SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); - goto f_err; + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_DTLS1_PROCESS_RECORD, + SSL_R_DATA_LENGTH_TOO_LONG); + return 0; } rr->off = 0; @@ -1718,11 +1754,6 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) dtls1_record_bitmap_update(s, bitmap); return 1; - - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - err: - return 0; } /* @@ -1760,8 +1791,10 @@ int dtls1_get_record(SSL *s) * The epoch may have changed. If so, process all the pending records. * This is a non-blocking operation. */ - if (!dtls1_process_buffered_records(s)) + if (!dtls1_process_buffered_records(s)) { + /* SSLfatal() already called */ return -1; + } /* if we're renegotiating, then there may be buffered records */ if (dtls1_get_processed_record(s)) @@ -1775,8 +1808,10 @@ int dtls1_get_record(SSL *s) rret = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1, &n); /* read timeout is handled by dtls1_read_bytes */ - if (rret <= 0) + if (rret <= 0) { + /* SSLfatal() already called if appropriate */ return rret; /* error or non-blocking */ + } /* this packet contained a partial record, dump it */ if (RECORD_LAYER_get_packet_length(&s->rlayer) != @@ -1852,6 +1887,10 @@ int dtls1_get_record(SSL *s) rret = ssl3_read_n(s, more, more, 1, 1, &n); /* this packet contained a partial record, dump it */ if (rret <= 0 || n != more) { + if (ossl_statem_in_error(s)) { + /* ssl3_read_n() called SSLfatal() */ + return -1; + } rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; @@ -1901,10 +1940,12 @@ int dtls1_get_record(SSL *s) */ if (is_next_epoch) { if ((SSL_in_init(s) || ossl_statem_get_in_handshake(s))) { - if (dtls1_buffer_record - (s, &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)), - rr->seq_num) < 0) + if (dtls1_buffer_record (s, + &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)), + rr->seq_num) < 0) { + /* SSLfatal() already called */ return -1; + } } rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); @@ -1912,6 +1953,10 @@ int dtls1_get_record(SSL *s) } if (!dtls1_process_record(s, bitmap)) { + if (ossl_statem_in_error(s)) { + /* dtls1_process_record() called SSLfatal */ + return -1; + } rr->length = 0; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c index 696cc37..f1e1667 100644 --- a/ssl/record/ssl3_record_tls13.c +++ b/ssl/record/ssl3_record_tls13.c @@ -12,7 +12,8 @@ #include "internal/cryptlib.h" /*- - * tls13_enc encrypts/decrypts |n_recs| in |recs|. + * tls13_enc encrypts/decrypts |n_recs| in |recs|. Will call SSLfatal() for + * internal errors, but not otherwise. * * Returns: * 0: (in non-constant time) if the record is publically invalid (i.e. too @@ -35,6 +36,8 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) if (n_recs != 1) { /* Should not happen */ /* TODO(TLS1.3): Support pipelining */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, + ERR_R_INTERNAL_ERROR); return -1; } @@ -62,8 +65,11 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) alg_enc = s->session->cipher->algorithm_enc; } else { if (!ossl_assert(s->psksession != NULL - && s->psksession->ext.max_early_data > 0)) + && s->psksession->ext.max_early_data > 0)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } alg_enc = s->psksession->cipher->algorithm_enc; } } else { @@ -71,8 +77,11 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) * To get here we must have selected a ciphersuite - otherwise ctx would * be NULL */ - if (!ossl_assert(s->s3->tmp.new_cipher != NULL)) + if (!ossl_assert(s->s3->tmp.new_cipher != NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } alg_enc = s->s3->tmp.new_cipher->algorithm_enc; } @@ -82,13 +91,18 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) else taglen = EVP_CCM_TLS_TAG_LEN; if (sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, - NULL) <= 0) + NULL) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } } else if (alg_enc & SSL_AESGCM) { taglen = EVP_GCM_TLS_TAG_LEN; } else if (alg_enc & SSL_CHACHA20) { taglen = EVP_CHACHAPOLY_TLS_TAG_LEN; } else { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, + ERR_R_INTERNAL_ERROR); return -1; } @@ -105,6 +119,8 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) /* Set up IV */ if (ivlen < SEQ_NUM_SIZE) { /* Should not happen */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, + ERR_R_INTERNAL_ERROR); return -1; } offset = ivlen - SEQ_NUM_SIZE; @@ -137,8 +153,11 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) if (sending) { /* Add the tag */ if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, - rec->data + rec->length) <= 0) + rec->data + rec->length) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_ENC, + ERR_R_INTERNAL_ERROR); return -1; + } rec->length += taglen; } diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 7710ef0..7b201e0 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -128,6 +128,7 @@ static const ERR_STRING_DATA SSL_str_functs[] = { "ssl3_digest_cached_records"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, 0), "ssl3_do_change_cipher_spec"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_ENC, 0), "ssl3_enc"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_FINAL_FINISH_MAC, 0), "ssl3_final_finish_mac"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_FINISH_MAC, 0), "ssl3_finish_mac"}, @@ -362,6 +363,7 @@ static const ERR_STRING_DATA SSL_str_functs[] = { {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS12_COPY_SIGALGS, 0), "tls12_copy_sigalgs"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_CHANGE_CIPHER_STATE, 0), "tls13_change_cipher_state"}, + {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_ENC, 0), "tls13_enc"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_FINAL_FINISH_MAC, 0), "tls13_final_finish_mac"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_TLS13_GENERATE_SECRET, 0), diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c index d19fe0a..8604d5b 100644 --- a/ssl/statem/statem_dtls.c +++ b/ssl/statem/statem_dtls.c @@ -944,7 +944,7 @@ int dtls1_read_failed(SSL *s, int code) return 0; } - if (!dtls1_is_timer_expired(s)) { + if (!dtls1_is_timer_expired(s) || ossl_statem_in_error(s)) { /* * not a timeout, none of our business, let higher layers handle * this. in fact it's probably an error _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits