From dcf88c5b79cbd433ee37276cdf63cdb5d49673cd Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 20 Apr 2017 10:58:27 +0100 Subject: [PATCH] Add better error logging if SCTP AUTH chunks are not enabled In order to use SCTP over DTLS we need ACTP AUTH chunks to be enabled in the kernel. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/3286) --- crypto/bio/bio_err.c | 1 + crypto/bio/bss_dgram.c | 17 ++++++++++++++--- include/openssl/bio.h | 1 + 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/crypto/bio/bio_err.c b/crypto/bio/bio_err.c index c49a934095..9442d80e61 100644 --- a/crypto/bio/bio_err.c +++ b/crypto/bio/bio_err.c @@ -36,6 +36,7 @@ static ERR_STRING_DATA BIO_str_functs[] = { {ERR_FUNC(BIO_F_BIO_LOOKUP_EX), "BIO_lookup_ex"}, {ERR_FUNC(BIO_F_BIO_MAKE_PAIR), "bio_make_pair"}, {ERR_FUNC(BIO_F_BIO_NEW), "BIO_new"}, + {ERR_FUNC(BIO_F_BIO_NEW_DGRAM_SCTP), "BIO_new_dgram_sctp"}, {ERR_FUNC(BIO_F_BIO_NEW_FILE), "BIO_new_file"}, {ERR_FUNC(BIO_F_BIO_NEW_MEM_BUF), "BIO_new_mem_buf"}, {ERR_FUNC(BIO_F_BIO_NREAD), "BIO_nread"}, diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index d43e8dc471..d3a7b03fba 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -842,6 +842,8 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag) sizeof(struct sctp_authchunk)); if (ret < 0) { BIO_vfree(bio); + BIOerr(BIO_F_BIO_NEW_DGRAM_SCTP, ERR_R_SYS_LIB); + ERR_add_error_data(1, "Ensure SCTP AUTH chunks are enabled in kernel"); return (NULL); } auth.sauth_chunk = OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE; @@ -850,13 +852,16 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag) sizeof(struct sctp_authchunk)); if (ret < 0) { BIO_vfree(bio); + BIOerr(BIO_F_BIO_NEW_DGRAM_SCTP, ERR_R_SYS_LIB); + ERR_add_error_data(1, "Ensure SCTP AUTH chunks are enabled in kernel"); return (NULL); } /* * Test if activation was successful. When using accept(), SCTP-AUTH has * to be activated for the listening socket already, otherwise the - * connected socket won't use it. + * connected socket won't use it. Similarly with connect(): the socket + * prior to connection must be activated for SCTP-AUTH */ sockopt_len = (socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t)); authchunks = OPENSSL_zalloc(sockopt_len); @@ -883,8 +888,14 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag) OPENSSL_free(authchunks); - OPENSSL_assert(auth_data); - OPENSSL_assert(auth_forward); + if (!auth_data || !auth_forward) { + BIO_vfree(bio); + BIOerr(BIO_F_BIO_NEW_DGRAM_SCTP, ERR_R_SYS_LIB); + ERR_add_error_data(1, + "Ensure SCTP AUTH chunks are enabled on the " + "underlying socket"); + return NULL; + } # ifdef SCTP_AUTHENTICATION_EVENT # ifdef SCTP_EVENT diff --git a/include/openssl/bio.h b/include/openssl/bio.h index 225642bed0..dea28c1cc1 100644 --- a/include/openssl/bio.h +++ b/include/openssl/bio.h @@ -811,6 +811,7 @@ int ERR_load_BIO_strings(void); # define BIO_F_BIO_LOOKUP_EX 143 # define BIO_F_BIO_MAKE_PAIR 121 # define BIO_F_BIO_NEW 108 +# define BIO_F_BIO_NEW_DGRAM_SCTP 145 # define BIO_F_BIO_NEW_FILE 109 # define BIO_F_BIO_NEW_MEM_BUF 126 # define BIO_F_BIO_NREAD 123 -- 2.25.1