Fix various error codes (f0659bdb) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

include/openssl/ssl.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -2165,7 +2165,7 @@ void ERR_load_SSL_strings(void);
		# define SSL_F_TLS_CONSTRUCT_SERVER_HELLO 376
		# define SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE 377
		# define SSL_F_TLS_GET_MESSAGE_BODY 351
		# define SSL_F_TLS_GET_MESSAGE_HEADER 350
		# define SSL_F_TLS_GET_MESSAGE_HEADER 387
		# define SSL_F_TLS_POST_PROCESS_CLIENT_HELLO 378
		# define SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE 384
		# define SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE 360
		@@ -2294,8 +2294,8 @@ void ERR_load_SSL_strings(void);
		# define SSL_R_INVALID_TICKET_KEYS_LENGTH 325
		# define SSL_R_INVALID_TRUST 279
		# define SSL_R_LENGTH_MISMATCH 159
		# define SSL_R_LENGTH_TOO_LONG 102
		# define SSL_R_LENGTH_TOO_SHORT 160
		# define SSL_R_LENGTH_TOO_LONG 404
		# define SSL_R_LIBRARY_BUG 274
		# define SSL_R_LIBRARY_HAS_NO_CIPHERS 161
		# define SSL_R_MISSING_DH_DSA_CERT 162

ssl/statem/statem_clnt.c

+21 −21

Original line number	Diff line number	Diff line
		@@ -1242,7 +1242,7 @@ enum MSG_PROCESS_RETURN tls_process_server_hello(SSL s, PACKET pkt)
		/* Get the session-id. */
		if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
		al = SSL_AD_DECODE_ERROR;
		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
		SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
		goto f_err;
		}
		session_id_len = PACKET_remaining(&session_id);
		@@ -1254,7 +1254,7 @@ enum MSG_PROCESS_RETURN tls_process_server_hello(SSL s, PACKET pkt)
		}

		if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) {
		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
		SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
		al = SSL_AD_DECODE_ERROR;
		goto f_err;
		}
		@@ -1374,7 +1374,7 @@ enum MSG_PROCESS_RETURN tls_process_server_hello(SSL s, PACKET pkt)
		/* lets get the compression algorithm */
		/* COMPRESSION */
		if (!PACKET_get_1(pkt, &compression)) {
		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
		SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
		al = SSL_AD_DECODE_ERROR;
		goto f_err;
		}
		@@ -1642,7 +1642,7 @@ enum MSG_PROCESS_RETURN tls_process_key_exchange(SSL s, PACKET pkt)
		if (alg_k & SSL_PSK) {
		PACKET psk_identity_hint;
		if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) {
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
		goto f_err;
		}

		@@ -1676,7 +1676,7 @@ enum MSG_PROCESS_RETURN tls_process_key_exchange(SSL s, PACKET pkt)
		\|\| !PACKET_get_length_prefixed_2(pkt, &generator)
		\|\| !PACKET_get_length_prefixed_1(pkt, &salt)
		\|\| !PACKET_get_length_prefixed_2(pkt, &server_pub)) {
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
		goto f_err;
		}

		@@ -1692,7 +1692,7 @@ enum MSG_PROCESS_RETURN tls_process_key_exchange(SSL s, PACKET pkt)
		\|\| (s->srp_ctx.B =
		BN_bin2bn(PACKET_data(&server_pub),
		PACKET_remaining(&server_pub), NULL)) == NULL) {
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_BN_LIB);
		goto err;
		}

		@@ -1718,12 +1718,12 @@ enum MSG_PROCESS_RETURN tls_process_key_exchange(SSL s, PACKET pkt)

		if (!PACKET_get_length_prefixed_2(pkt, &mod)
		\|\| !PACKET_get_length_prefixed_2(pkt, &exp)) {
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
		goto f_err;
		}

		if ((rsa = RSA_new()) == NULL) {
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
		goto err;
		}

		@@ -1731,7 +1731,7 @@ enum MSG_PROCESS_RETURN tls_process_key_exchange(SSL s, PACKET pkt)
		rsa->n)) == NULL
		\|\| (rsa->e = BN_bin2bn(PACKET_data(&exp), PACKET_remaining(&exp),
		rsa->e)) == NULL) {
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_BN_LIB);
		goto err;
		}

		@@ -1756,12 +1756,12 @@ enum MSG_PROCESS_RETURN tls_process_key_exchange(SSL s, PACKET pkt)
		if (!PACKET_get_length_prefixed_2(pkt, &prime)
		\|\| !PACKET_get_length_prefixed_2(pkt, &generator)
		\|\| !PACKET_get_length_prefixed_2(pkt, &pub_key)) {
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
		goto f_err;
		}

		if ((dh = DH_new()) == NULL) {
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_DH_LIB);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_DH_LIB);
		goto err;
		}

		@@ -1772,12 +1772,12 @@ enum MSG_PROCESS_RETURN tls_process_key_exchange(SSL s, PACKET pkt)
		\|\| (dh->pub_key =
		BN_bin2bn(PACKET_data(&pub_key),
		PACKET_remaining(&pub_key), NULL)) == NULL) {
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_BN_LIB);
		goto err;
		}

		if (BN_is_zero(dh->p) \|\| BN_is_zero(dh->g) \|\| BN_is_zero(dh->pub_key)) {
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_VALUE);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_DH_VALUE);
		goto f_err;
		}

		@@ -1813,7 +1813,7 @@ enum MSG_PROCESS_RETURN tls_process_key_exchange(SSL s, PACKET pkt)
		* ECParameters in this case is just three bytes.
		*/
		if (!PACKET_get_bytes(pkt, &ecparams, 3)) {
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
		goto f_err;
		}
		/*
		@@ -1821,7 +1821,7 @@ enum MSG_PROCESS_RETURN tls_process_key_exchange(SSL s, PACKET pkt)
		* invalid curve. ECParameters is 3 bytes.
		*/
		if (!tls1_check_curve(s, ecparams, 3)) {
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_CURVE);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_WRONG_CURVE);
		goto f_err;
		}

		@@ -1861,13 +1861,13 @@ enum MSG_PROCESS_RETURN tls_process_key_exchange(SSL s, PACKET pkt)
		}

		if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) {
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
		goto f_err;
		}

		if (EC_POINT_oct2point(group, srvr_ecpoint, PACKET_data(&encoded_pt),
		PACKET_remaining(&encoded_pt), bn_ctx) == 0) {
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_ECPOINT);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_ECPOINT);
		goto f_err;
		}

		@@ -1911,7 +1911,7 @@ enum MSG_PROCESS_RETURN tls_process_key_exchange(SSL s, PACKET pkt)
		PACKET_remaining(&save_param_start) -
		PACKET_remaining(pkt))) {
		al = SSL_AD_INTERNAL_ERROR;
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
		goto f_err;
		}

		@@ -1919,7 +1919,7 @@ enum MSG_PROCESS_RETURN tls_process_key_exchange(SSL s, PACKET pkt)
		unsigned char *sigalgs;
		int rv;
		if (!PACKET_get_bytes(pkt, &sigalgs, 2)) {
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
		goto f_err;
		}
		rv = tls12_check_peer_sigalg(&md, s, sigalgs, pkey);
		@@ -1937,7 +1937,7 @@ enum MSG_PROCESS_RETURN tls_process_key_exchange(SSL s, PACKET pkt)

		if (!PACKET_get_length_prefixed_2(pkt, &signature)
		\|\| PACKET_remaining(pkt) != 0) {
		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
		SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
		goto f_err;
		}
		j = EVP_PKEY_size(pkey);
		@@ -2178,7 +2178,7 @@ enum MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL s, PACKET pkt)
		\|\| !PACKET_get_net_2(pkt, &ticklen)
		\|\| PACKET_remaining(pkt) != ticklen) {
		al = SSL_AD_DECODE_ERROR;
		SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
		SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
		goto f_err;
		}

ssl/statem/statem_srvr.c

+19 −17

Original line number	Diff line number	Diff line
		@@ -956,7 +956,7 @@ int dtls_construct_hello_verify_request(SSL *s)
		s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
		&(s->d1->cookie_len)) == 0 \|\|
		s->d1->cookie_len > 255) {
		SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,
		SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
		SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
		ossl_statem_set_error(s);
		return 0;
		@@ -1145,7 +1145,8 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL s, PACKET pkt)
		\|\| !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
		/* No extensions. */
		\|\| PACKET_remaining(pkt) != 0) {
		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
		SSL_R_RECORD_LENGTH_MISMATCH);
		al = SSL_AD_DECODE_ERROR;
		goto f_err;
		}
		@@ -1157,7 +1158,7 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL s, PACKET pkt)
		if (!PACKET_copy_bytes(&challenge,
		s->s3->client_random + SSL3_RANDOM_SIZE -
		challenge_len, challenge_len)) {
		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
		al = SSL_AD_INTERNAL_ERROR;
		goto f_err;
		}
		@@ -1169,14 +1170,14 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL s, PACKET pkt)
		if (!PACKET_copy_bytes(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)
		\|\| !PACKET_get_length_prefixed_1(pkt, &session_id)) {
		al = SSL_AD_DECODE_ERROR;
		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
		goto f_err;
		}

		if (SSL_IS_DTLS(s)) {
		if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
		al = SSL_AD_DECODE_ERROR;
		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
		goto f_err;
		}
		/*
		@@ -1193,7 +1194,7 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL s, PACKET pkt)
		if (!PACKET_get_length_prefixed_2(pkt, &cipher_suites)
		\|\| !PACKET_get_length_prefixed_1(pkt, &compression)) {
		al = SSL_AD_DECODE_ERROR;
		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
		goto f_err;
		}
		/* Could be empty. */
		@@ -1253,7 +1254,7 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL s, PACKET pkt)
		if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie),
		PACKET_remaining(&cookie)) == 0) {
		al = SSL_AD_HANDSHAKE_FAILURE;
		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
		SSL_R_COOKIE_MISMATCH);
		goto f_err;
		/* else cookie verification succeeded */
		@@ -1262,7 +1263,7 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL s, PACKET pkt)
		} else if (!PACKET_equal(&cookie, s->d1->cookie,
		s->d1->cookie_len)) {
		al = SSL_AD_HANDSHAKE_FAILURE;
		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
		goto f_err;
		}
		s->d1->cookie_verified = 1;
		@@ -1274,7 +1275,7 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL s, PACKET pkt)
		s->version = DTLS1_2_VERSION;
		s->method = DTLSv1_2_server_method();
		} else if (tls1_suiteb(s)) {
		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
		SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
		s->version = s->client_version;
		al = SSL_AD_PROTOCOL_VERSION;
		@@ -1284,7 +1285,7 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL s, PACKET pkt)
		s->version = DTLS1_VERSION;
		s->method = DTLSv1_server_method();
		} else {
		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
		SSL_R_WRONG_VERSION_NUMBER);
		s->version = s->client_version;
		al = SSL_AD_PROTOCOL_VERSION;
		@@ -1325,7 +1326,7 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL s, PACKET pkt)
		* to reuse it
		*/
		al = SSL_AD_ILLEGAL_PARAMETER;
		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
		SSL_R_REQUIRED_CIPHER_MISSING);
		goto f_err;
		}
		@@ -1340,14 +1341,14 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL s, PACKET pkt)
		if (j >= complen) {
		/* no compress */
		al = SSL_AD_DECODE_ERROR;
		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
		goto f_err;
		}

		/* TLS extensions */
		if (s->version >= SSL3_VERSION) {
		if (!ssl_parse_clienthello_tlsext(s, &extensions)) {
		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
		goto err;
		}
		}
		@@ -2313,7 +2314,7 @@ enum MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL s, PACKET pkt)
		}

		if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
		SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
		al = SSL_AD_INTERNAL_ERROR;
		goto f_err;
		}
		@@ -2407,7 +2408,8 @@ enum MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL s, PACKET pkt)
		enc_premaster = orig;
		} else {
		al = SSL_AD_DECODE_ERROR;
		SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
		SSL_R_LENGTH_MISMATCH);
		goto f_err;
		}
		}
		@@ -2421,7 +2423,7 @@ enum MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL s, PACKET pkt)
		*/
		if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
		al = SSL_AD_INTERNAL_ERROR;
		SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
		RSA_R_KEY_SIZE_TOO_SMALL);
		goto f_err;
		}
		@@ -2429,7 +2431,7 @@ enum MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL s, PACKET pkt)
		rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
		if (rsa_decrypt == NULL) {
		al = SSL_AD_INTERNAL_ERROR;
		SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
		SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
		goto f_err;
		}