From 05ec6a25f80ac8edfb7d7cb764d2dd68156a6965 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 8 Jul 2016 12:27:30 +0100 Subject: [PATCH] Fix up error codes after splitting up tls_construct_key_exchange() Reviewed-by: Richard Levitte --- include/openssl/ssl.h | 6 +++ ssl/ssl_err.c | 7 ++++ ssl/statem/statem_clnt.c | 79 +++++++++++++++------------------------- 3 files changed, 43 insertions(+), 49 deletions(-) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 1e50e7e4b3..8dcd525a98 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -2203,6 +2203,12 @@ void ERR_load_SSL_strings(void); # define SSL_F_TLS1_SET_SERVER_SIGALGS 335 # define SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK 354 # define SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST 372 +# define SSL_F_TLS_CONSTRUCT_CKE_DHE 404 +# define SSL_F_TLS_CONSTRUCT_CKE_ECDHE 405 +# define SSL_F_TLS_CONSTRUCT_CKE_GOST 406 +# define SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE 407 +# define SSL_F_TLS_CONSTRUCT_CKE_RSA 409 +# define SSL_F_TLS_CONSTRUCT_CKE_SRP 410 # define SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE 355 # define SSL_F_TLS_CONSTRUCT_CLIENT_HELLO 356 # define SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE 357 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index b69e91c58e..5192168e97 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -231,6 +231,13 @@ static ERR_STRING_DATA SSL_str_functs[] = { "tls_client_key_exchange_post_work"}, {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST), "tls_construct_certificate_request"}, + {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CKE_DHE), "tls_construct_cke_dhe"}, + {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CKE_ECDHE), "tls_construct_cke_ecdhe"}, + {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CKE_GOST), "tls_construct_cke_gost"}, + {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE), + "tls_construct_cke_psk_preamble"}, + {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CKE_RSA), "tls_construct_cke_rsa"}, + {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CKE_SRP), "tls_construct_cke_srp"}, {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE), "tls_construct_client_certificate"}, {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO), diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 236fffc2f5..60aecdbb3c 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2030,8 +2030,7 @@ static int tls_construct_cke_psk_preamble(SSL *s, unsigned char **p, size_t psklen = 0; if (s->psk_client_callback == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - SSL_R_PSK_NO_CLIENT_CB); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_CLIENT_CB); *al = SSL_AD_INTERNAL_ERROR; goto err; } @@ -2043,12 +2042,11 @@ static int tls_construct_cke_psk_preamble(SSL *s, unsigned char **p, psk, sizeof(psk)); if (psklen > PSK_MAX_PSK_LEN) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); *al = SSL_AD_HANDSHAKE_FAILURE; goto err; } else if (psklen == 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, SSL_R_PSK_IDENTITY_NOT_FOUND); *al = SSL_AD_HANDSHAKE_FAILURE; goto err; @@ -2056,8 +2054,7 @@ static int tls_construct_cke_psk_preamble(SSL *s, unsigned char **p, identitylen = strlen(identity); if (identitylen > PSK_MAX_IDENTITY_LEN) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); *al = SSL_AD_HANDSHAKE_FAILURE; goto err; } @@ -2065,7 +2062,7 @@ static int tls_construct_cke_psk_preamble(SSL *s, unsigned char **p, tmppsk = OPENSSL_memdup(psk, psklen); tmpidentity = OPENSSL_strdup(identity); if (tmppsk == NULL || tmpidentity == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE); *al = SSL_AD_INTERNAL_ERROR; goto err; } @@ -2092,7 +2089,7 @@ static int tls_construct_cke_psk_preamble(SSL *s, unsigned char **p, return ret; #else - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); *al = SSL_AD_INTERNAL_ERROR; return 0; #endif @@ -2112,23 +2109,20 @@ static int tls_construct_cke_rsa(SSL *s, unsigned char **p, int *len, int *al) /* * We should always have a server certificate with SSL_kRSA. */ - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR); return 0; } pkey = X509_get0_pubkey(s->session->peer); if (EVP_PKEY_get0_RSA(pkey) == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR); return 0; } pmslen = SSL_MAX_MASTER_KEY_LENGTH; pms = OPENSSL_malloc(pmslen); if (pms == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_MALLOC_FAILURE); *al = SSL_AD_INTERNAL_ERROR; return 0; } @@ -2146,13 +2140,11 @@ static int tls_construct_cke_rsa(SSL *s, unsigned char **p, int *len, int *al) pctx = EVP_PKEY_CTX_new(pkey, NULL); if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0 || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - ERR_R_EVP_LIB); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_EVP_LIB); goto err; } if (EVP_PKEY_encrypt(pctx, *p, &enclen, pms, pmslen) <= 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - SSL_R_BAD_RSA_ENCRYPT); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, SSL_R_BAD_RSA_ENCRYPT); goto err; } *len = enclen; @@ -2181,7 +2173,7 @@ static int tls_construct_cke_rsa(SSL *s, unsigned char **p, int *len, int *al) return 0; #else - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR); *al = SSL_AD_INTERNAL_ERROR; return 0; #endif @@ -2196,16 +2188,14 @@ static int tls_construct_cke_dhe(SSL *s, unsigned char **p, int *len, int *al) skey = s->s3->peer_tmp; if (skey == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_DHE, ERR_R_INTERNAL_ERROR); return 0; } ckey = ssl_generate_pkey(skey, NID_undef); dh_clnt = EVP_PKEY_get0_DH(ckey); if (dh_clnt == NULL || ssl_derive(s, ckey, skey) == 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_DHE, ERR_R_INTERNAL_ERROR); EVP_PKEY_free(ckey); return 0; } @@ -2220,7 +2210,7 @@ static int tls_construct_cke_dhe(SSL *s, unsigned char **p, int *len, int *al) return 1; #else - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_DHE, ERR_R_INTERNAL_ERROR); *al = SSL_AD_INTERNAL_ERROR; return 0; #endif @@ -2235,15 +2225,14 @@ static int tls_construct_cke_ecdhe(SSL *s, unsigned char **p, int *len, int *al) skey = s->s3->peer_tmp; if ((skey == NULL) || EVP_PKEY_get0_EC_KEY(skey) == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR); return 0; } ckey = ssl_generate_pkey(skey, NID_undef); if (ssl_derive(s, ckey, skey) == 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_EVP_LIB); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_EVP_LIB); goto err; } @@ -2253,7 +2242,7 @@ static int tls_construct_cke_ecdhe(SSL *s, unsigned char **p, int *len, int *al) &encodedPoint, NULL); if (encoded_pt_len == 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_EC_LIB); goto err; } @@ -2277,7 +2266,7 @@ static int tls_construct_cke_ecdhe(SSL *s, unsigned char **p, int *len, int *al) EVP_PKEY_free(ckey); return 0; #else - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR); *al = SSL_AD_INTERNAL_ERROR; return 0; #endif @@ -2306,7 +2295,7 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al) peer_cert = s->session->peer; if (!peer_cert) { *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); return 0; } @@ -2314,8 +2303,7 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al) pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL); if (pkey_ctx == NULL) { *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_MALLOC_FAILURE); return 0; } /* @@ -2329,8 +2317,7 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al) pms = OPENSSL_malloc(pmslen); if (pms == NULL) { *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_MALLOC_FAILURE); return 0; } @@ -2338,8 +2325,7 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al) /* Generate session key */ || RAND_bytes(pms, pmslen) <= 0) { *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR); goto err; }; /* @@ -2368,8 +2354,7 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al) SSL3_RANDOM_SIZE) <= 0 || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) { *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR); goto err; } EVP_MD_CTX_free(ukm_hash); @@ -2377,8 +2362,7 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al) if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) { *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - SSL_R_LIBRARY_BUG); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, SSL_R_LIBRARY_BUG); goto err; } /* Make GOST keytransport blob message */ @@ -2389,8 +2373,7 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al) msglen = 255; if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) { *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - SSL_R_LIBRARY_BUG); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, SSL_R_LIBRARY_BUG); goto err; } if (msglen >= 0x80) { @@ -2419,7 +2402,7 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al) EVP_MD_CTX_free(ukm_hash); return 0; #else - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR); *al = SSL_AD_INTERNAL_ERROR; return 0; #endif @@ -2435,21 +2418,19 @@ static int tls_construct_cke_srp(SSL *s, unsigned char **p, int *len, int *al) BN_bn2bin(s->srp_ctx.A, *p); *len += 2; } else { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP, ERR_R_INTERNAL_ERROR); return 0; } OPENSSL_free(s->session->srp_username); s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); if (s->session->srp_username == NULL) { - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP, ERR_R_MALLOC_FAILURE); return 0; } return 1; #else - SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP, ERR_R_INTERNAL_ERROR); *al = SSL_AD_INTERNAL_ERROR; return 0; #endif -- 2.25.1