[openssl] master update
Richard Levitte
levitte at openssl.org
Tue Jan 12 18:03:08 UTC 2021
The branch master has been updated
via 5a2d0ef36f4c130758a9d5e84f93004458e3ce60 (commit)
via d6d42cda5fbc05aeaadf8c760db60e9089e3609b (commit)
from 0d11846e4b2850773d1ee0df206608549a7d45d0 (commit)
- Log -----------------------------------------------------------------
commit 5a2d0ef36f4c130758a9d5e84f93004458e3ce60
Author: Richard Levitte <levitte at openssl.org>
Date: Fri Nov 20 23:07:56 2020 +0100
Clean away extraneous library specific FETCH_FAILED reason codes
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13467)
commit d6d42cda5fbc05aeaadf8c760db60e9089e3609b
Author: Richard Levitte <levitte at openssl.org>
Date: Sat Oct 17 07:07:41 2020 +0200
Use centralized fetching errors
We've spread around FETCH_FAILED errors in quite a few places, and
that gives somewhat crude error records, as there's no way to tell if
the error was unavailable algorithms or some other error at such high
levels.
As an alternative, we take recording of these kinds of errors down to
the fetching functions, which are in a much better place to tell what
kind of error it was, thereby relieving the higher level calls from
having to guess.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13467)
-----------------------------------------------------------------------
Summary of changes:
crypto/context.c | 13 ++++++++++
crypto/encode_decode/decoder_meth.c | 48 +++++++++++++++++++++++++++++++++---
crypto/encode_decode/encoder_meth.c | 48 +++++++++++++++++++++++++++++++++---
crypto/err/err.c | 9 +++++++
crypto/err/openssl.txt | 2 --
crypto/evp/evp_err.c | 1 -
crypto/evp/evp_fetch.c | 26 +++++---------------
crypto/store/store_meth.c | 49 ++++++++++++++++++++++++++++++++++---
include/internal/cryptlib.h | 1 +
include/openssl/err.h.in | 2 ++
include/openssl/evperr.h | 1 -
include/openssl/sslerr.h | 2 --
ssl/s3_enc.c | 3 ++-
ssl/ssl_err.c | 4 ---
ssl/statem/statem.c | 21 ++++++++++------
ssl/statem/statem.h | 2 ++
ssl/statem/statem_clnt.c | 3 ++-
ssl/statem/statem_srvr.c | 3 ++-
ssl/t1_enc.c | 3 ++-
ssl/tls13_enc.c | 7 +++---
test/tls13secretstest.c | 4 +++
21 files changed, 198 insertions(+), 54 deletions(-)
diff --git a/crypto/context.c b/crypto/context.c
index 4dbfb723e1..c351ff9619 100644
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -368,3 +368,16 @@ int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn)
return 1;
}
+
+const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx)
+{
+#ifdef FIPS_MODULE
+ return "FIPS internal library context";
+#else
+ if (ossl_lib_ctx_is_global_default(libctx))
+ return "Global default library context";
+ if (ossl_lib_ctx_is_default(libctx))
+ return "Thread-local default library context";
+ return "Non-default library context";
+#endif
+}
diff --git a/crypto/encode_decode/decoder_meth.c b/crypto/encode_decode/decoder_meth.c
index 0d389ac5a6..915c91fd80 100644
--- a/crypto/encode_decode/decoder_meth.c
+++ b/crypto/encode_decode/decoder_meth.c
@@ -87,6 +87,8 @@ struct decoder_data_st {
int id; /* For get_decoder_from_store() */
const char *names; /* For get_decoder_from_store() */
const char *propquery; /* For get_decoder_from_store() */
+
+ unsigned int flag_construct_error_occured : 1;
};
/*
@@ -242,7 +244,7 @@ void *ossl_decoder_from_dispatch(int id, const OSSL_ALGORITHM *algodef,
* then call ossl_decoder_from_dispatch() with that identity number.
*/
static void *construct_decoder(const OSSL_ALGORITHM *algodef,
- OSSL_PROVIDER *prov, void *unused)
+ OSSL_PROVIDER *prov, void *data)
{
/*
* This function is only called if get_decoder_from_store() returned
@@ -250,6 +252,7 @@ static void *construct_decoder(const OSSL_ALGORITHM *algodef,
* namemap entry, this is it. Should the name already exist there, we
* know that ossl_namemap_add() will return its corresponding number.
*/
+ struct decoder_data_st *methdata = data;
OSSL_LIB_CTX *libctx = ossl_provider_libctx(prov);
OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx);
const char *names = algodef->algorithm_names;
@@ -259,6 +262,14 @@ static void *construct_decoder(const OSSL_ALGORITHM *algodef,
if (id != 0)
method = ossl_decoder_from_dispatch(id, algodef, prov);
+ /*
+ * Flag to indicate that there was actual construction errors. This
+ * helps inner_evp_generic_fetch() determine what error it should
+ * record on inaccessible algorithms.
+ */
+ if (method == NULL)
+ methdata->flag_construct_error_occured = 1;
+
return method;
}
@@ -286,20 +297,32 @@ static OSSL_DECODER *inner_ossl_decoder_fetch(OSSL_LIB_CTX *libctx, int id,
OSSL_METHOD_STORE *store = get_decoder_store(libctx);
OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx);
void *method = NULL;
+ int unsupported = 0;
- if (store == NULL || namemap == NULL)
+ if (store == NULL || namemap == NULL) {
+ ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_PASSED_INVALID_ARGUMENT);
return NULL;
+ }
/*
* If we have been passed neither a name_id or a name, we have an
* internal programming error.
*/
- if (!ossl_assert(id != 0 || name != NULL))
+ if (!ossl_assert(id != 0 || name != NULL)) {
+ ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_INTERNAL_ERROR);
return NULL;
+ }
if (id == 0)
id = ossl_namemap_name2num(namemap, name);
+ /*
+ * If we haven't found the name yet, chances are that the algorithm to
+ * be fetched is unsupported.
+ */
+ if (id == 0)
+ unsupported = 1;
+
if (id == 0
|| !ossl_method_store_cache_get(store, id, properties, &method)) {
OSSL_METHOD_CONSTRUCT_METHOD mcm = {
@@ -317,6 +340,7 @@ static OSSL_DECODER *inner_ossl_decoder_fetch(OSSL_LIB_CTX *libctx, int id,
mcmdata.id = id;
mcmdata.names = name;
mcmdata.propquery = properties;
+ mcmdata.flag_construct_error_occured = 0;
if ((method = ossl_method_construct(libctx, OSSL_OP_DECODER,
0 /* !force_cache */,
&mcm, &mcmdata)) != NULL) {
@@ -331,6 +355,24 @@ static OSSL_DECODER *inner_ossl_decoder_fetch(OSSL_LIB_CTX *libctx, int id,
ossl_method_store_cache_set(store, id, properties, method,
up_ref_decoder, free_decoder);
}
+
+ /*
+ * If we never were in the constructor, the algorithm to be fetched
+ * is unsupported.
+ */
+ unsupported = !mcmdata.flag_construct_error_occured;
+ }
+
+ if (method == NULL) {
+ int code = unsupported ? ERR_R_UNSUPPORTED : ERR_R_FETCH_FAILED;
+
+ if (name == NULL)
+ name = ossl_namemap_num2name(namemap, id, 0);
+ ERR_raise_data(ERR_LIB_OSSL_DECODER, code,
+ "%s, Name (%s : %d), Properties (%s)",
+ ossl_lib_ctx_get_descriptor(libctx),
+ name = NULL ? "<null>" : name, id,
+ properties == NULL ? "<null>" : properties);
}
return method;
diff --git a/crypto/encode_decode/encoder_meth.c b/crypto/encode_decode/encoder_meth.c
index 99c4a119d3..d3eea415ff 100644
--- a/crypto/encode_decode/encoder_meth.c
+++ b/crypto/encode_decode/encoder_meth.c
@@ -87,6 +87,8 @@ struct encoder_data_st {
int id; /* For get_encoder_from_store() */
const char *names; /* For get_encoder_from_store() */
const char *propquery; /* For get_encoder_from_store() */
+
+ unsigned int flag_construct_error_occured : 1;
};
/*
@@ -254,7 +256,7 @@ static void *encoder_from_dispatch(int id, const OSSL_ALGORITHM *algodef,
* then call encoder_from_dispatch() with that identity number.
*/
static void *construct_encoder(const OSSL_ALGORITHM *algodef,
- OSSL_PROVIDER *prov, void *unused)
+ OSSL_PROVIDER *prov, void *data)
{
/*
* This function is only called if get_encoder_from_store() returned
@@ -262,6 +264,7 @@ static void *construct_encoder(const OSSL_ALGORITHM *algodef,
* namemap entry, this is it. Should the name already exist there, we
* know that ossl_namemap_add() will return its corresponding number.
*/
+ struct encoder_data_st *methdata = data;
OSSL_LIB_CTX *libctx = ossl_provider_libctx(prov);
OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx);
const char *names = algodef->algorithm_names;
@@ -271,6 +274,14 @@ static void *construct_encoder(const OSSL_ALGORITHM *algodef,
if (id != 0)
method = encoder_from_dispatch(id, algodef, prov);
+ /*
+ * Flag to indicate that there was actual construction errors. This
+ * helps inner_evp_generic_fetch() determine what error it should
+ * record on inaccessible algorithms.
+ */
+ if (method == NULL)
+ methdata->flag_construct_error_occured = 1;
+
return method;
}
@@ -298,20 +309,32 @@ static OSSL_ENCODER *inner_ossl_encoder_fetch(OSSL_LIB_CTX *libctx,
OSSL_METHOD_STORE *store = get_encoder_store(libctx);
OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx);
void *method = NULL;
+ int unsupported = 0;
- if (store == NULL || namemap == NULL)
+ if (store == NULL || namemap == NULL) {
+ ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_PASSED_INVALID_ARGUMENT);
return NULL;
+ }
/*
* If we have been passed neither a name_id or a name, we have an
* internal programming error.
*/
- if (!ossl_assert(id != 0 || name != NULL))
+ if (!ossl_assert(id != 0 || name != NULL)) {
+ ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_INTERNAL_ERROR);
return NULL;
+ }
if (id == 0)
id = ossl_namemap_name2num(namemap, name);
+ /*
+ * If we haven't found the name yet, chances are that the algorithm to
+ * be fetched is unsupported.
+ */
+ if (id == 0)
+ unsupported = 1;
+
if (id == 0
|| !ossl_method_store_cache_get(store, id, properties, &method)) {
OSSL_METHOD_CONSTRUCT_METHOD mcm = {
@@ -329,6 +352,7 @@ static OSSL_ENCODER *inner_ossl_encoder_fetch(OSSL_LIB_CTX *libctx,
mcmdata.id = id;
mcmdata.names = name;
mcmdata.propquery = properties;
+ mcmdata.flag_construct_error_occured = 0;
if ((method = ossl_method_construct(libctx, OSSL_OP_ENCODER,
0 /* !force_cache */,
&mcm, &mcmdata)) != NULL) {
@@ -343,6 +367,24 @@ static OSSL_ENCODER *inner_ossl_encoder_fetch(OSSL_LIB_CTX *libctx,
ossl_method_store_cache_set(store, id, properties, method,
up_ref_encoder, free_encoder);
}
+
+ /*
+ * If we never were in the constructor, the algorithm to be fetched
+ * is unsupported.
+ */
+ unsupported = !mcmdata.flag_construct_error_occured;
+ }
+
+ if (method == NULL) {
+ int code = unsupported ? ERR_R_UNSUPPORTED : ERR_R_FETCH_FAILED;
+
+ if (name == NULL)
+ name = ossl_namemap_num2name(namemap, id, 0);
+ ERR_raise_data(ERR_LIB_OSSL_ENCODER, code,
+ "%s, Name (%s : %d), Properties (%s)",
+ ossl_lib_ctx_get_descriptor(libctx),
+ name = NULL ? "<null>" : name, id,
+ properties == NULL ? "<null>" : properties);
}
return method;
diff --git a/crypto/err/err.c b/crypto/err/err.c
index 9528158a08..bc7ce875d0 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -117,6 +117,15 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
{ERR_R_INVALID_PROVIDER_FUNCTIONS, "invalid provider functions"},
{ERR_R_INTERRUPTED_OR_CANCELLED, "interrupted or cancelled"},
+ /*
+ * Something is unsupported, exactly what is expressed with additional data
+ */
+ {ERR_R_UNSUPPORTED, "unsupported"},
+ /*
+ * A fetch failed for other reasons than the name to be fetched being
+ * unsupported.
+ */
+ {ERR_R_FETCH_FAILED, "fetch failed"},
{0, NULL},
};
#endif
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 4e36fc3394..bb200a7960 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2554,7 +2554,6 @@ EVP_R_EXPECTING_A_ECX_KEY:219:expecting a ecx key
EVP_R_EXPECTING_A_EC_KEY:142:expecting a ec key
EVP_R_EXPECTING_A_POLY1305_KEY:164:expecting a poly1305 key
EVP_R_EXPECTING_A_SIPHASH_KEY:175:expecting a siphash key
-EVP_R_FETCH_FAILED:202:fetch failed
EVP_R_FINAL_ERROR:188:final error
EVP_R_FIPS_MODE_NOT_SUPPORTED:167:fips mode not supported
EVP_R_GENERATE_ERROR:214:generate error
@@ -3106,7 +3105,6 @@ SM2_R_INVALID_FIELD:105:invalid field
SM2_R_INVALID_PRIVATE_KEY:113:invalid private key
SM2_R_NO_PARAMETERS_SET:109:no parameters set
SM2_R_USER_ID_TOO_LARGE:106:user id too large
-SSL_R_ALGORITHM_FETCH_FAILED:295:algorithm fetch failed
SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY:291:\
application data after close notify
SSL_R_APP_DATA_IN_HANDSHAKE:100:app data in handshake
diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
index 894f0cebcb..e08c373b33 100644
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@@ -71,7 +71,6 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
"expecting a poly1305 key"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_A_SIPHASH_KEY),
"expecting a siphash key"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_FETCH_FAILED), "fetch failed"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_FINAL_ERROR), "final error"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_FIPS_MODE_NOT_SUPPORTED),
"fips mode not supported"},
diff --git a/crypto/evp/evp_fetch.c b/crypto/evp/evp_fetch.c
index 7a0a3fcda7..5d6d3dbb29 100644
--- a/crypto/evp/evp_fetch.c
+++ b/crypto/evp/evp_fetch.c
@@ -215,19 +215,6 @@ static void destruct_evp_method(void *method, void *data)
methdata->destruct_method(method);
}
-static const char *libctx_descriptor(OSSL_LIB_CTX *libctx)
-{
-#ifdef FIPS_MODULE
- return "FIPS internal library context";
-#else
- if (ossl_lib_ctx_is_global_default(libctx))
- return "Global default library context";
- if (ossl_lib_ctx_is_default(libctx))
- return "Thread-local default library context";
- return "Non-default library context";
-#endif
-}
-
static void *
inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id,
int name_id, const char *name,
@@ -245,7 +232,7 @@ inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id,
int unsupported = 0;
if (store == NULL || namemap == NULL) {
- ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT);
+ ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_INVALID_ARGUMENT);
return NULL;
}
@@ -254,7 +241,7 @@ inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id,
* programming error.
*/
if (!ossl_assert(operation_id > 0)) {
- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
+ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
return NULL;
}
@@ -263,7 +250,7 @@ inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id,
* internal programming error.
*/
if (!ossl_assert(name_id != 0 || name != NULL)) {
- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
+ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
return NULL;
}
@@ -280,7 +267,7 @@ inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id,
* For all intents and purposes, this is an internal error.
*/
if (name_id != 0 && (meth_id = evp_method_id(name_id, operation_id)) == 0) {
- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
+ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
return NULL;
}
@@ -337,14 +324,13 @@ inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id,
}
if (method == NULL) {
- int code =
- unsupported ? EVP_R_UNSUPPORTED_ALGORITHM : EVP_R_FETCH_FAILED;
+ int code = unsupported ? ERR_R_UNSUPPORTED : ERR_R_FETCH_FAILED;
if (name == NULL)
name = ossl_namemap_num2name(namemap, name_id, 0);
ERR_raise_data(ERR_LIB_EVP, code,
"%s, Algorithm (%s : %d), Properties (%s)",
- libctx_descriptor(libctx),
+ ossl_lib_ctx_get_descriptor(libctx),
name = NULL ? "<null>" : name, name_id,
properties == NULL ? "<null>" : properties);
}
diff --git a/crypto/store/store_meth.c b/crypto/store/store_meth.c
index 166b885806..979f42a16d 100644
--- a/crypto/store/store_meth.c
+++ b/crypto/store/store_meth.c
@@ -92,6 +92,8 @@ struct loader_data_st {
int scheme_id; /* For get_loader_from_store() */
const char *scheme; /* For get_loader_from_store() */
const char *propquery; /* For get_loader_from_store() */
+
+ unsigned int flag_construct_error_occured : 1;
};
/*
@@ -227,7 +229,7 @@ static void *loader_from_dispatch(int scheme_id, const OSSL_ALGORITHM *algodef,
* then call loader_from_dispatch() with that identity number.
*/
static void *construct_loader(const OSSL_ALGORITHM *algodef,
- OSSL_PROVIDER *prov, void *unused)
+ OSSL_PROVIDER *prov, void *data)
{
/*
* This function is only called if get_loader_from_store() returned
@@ -235,6 +237,7 @@ static void *construct_loader(const OSSL_ALGORITHM *algodef,
* namemap entry, this is it. Should the scheme already exist there, we
* know that ossl_namemap_add() will return its corresponding number.
*/
+ struct loader_data_st *methdata = data;
OSSL_LIB_CTX *libctx = ossl_provider_libctx(prov);
OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx);
const char *scheme = algodef->algorithm_names;
@@ -244,6 +247,14 @@ static void *construct_loader(const OSSL_ALGORITHM *algodef,
if (id != 0)
method = loader_from_dispatch(id, algodef, prov);
+ /*
+ * Flag to indicate that there was actual construction errors. This
+ * helps inner_evp_generic_fetch() determine what error it should
+ * record on inaccessible algorithms.
+ */
+ if (method == NULL)
+ methdata->flag_construct_error_occured = 1;
+
return method;
}
@@ -261,20 +272,33 @@ static OSSL_STORE_LOADER *inner_loader_fetch(OSSL_LIB_CTX *libctx,
OSSL_METHOD_STORE *store = get_loader_store(libctx);
OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx);
void *method = NULL;
+ int unsupported = 0;
- if (store == NULL || namemap == NULL)
+ if (store == NULL || namemap == NULL) {
+ ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_PASSED_INVALID_ARGUMENT);
return NULL;
+ }
/*
* If we have been passed neither a scheme_id or a scheme, we have an
* internal programming error.
*/
- if (!ossl_assert(id != 0 || scheme != NULL))
+ if (!ossl_assert(id != 0 || scheme != NULL)) {
+ ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_INTERNAL_ERROR);
return NULL;
+ }
+ /* If we haven't received a name id yet, try to get one for the name */
if (id == 0)
id = ossl_namemap_name2num(namemap, scheme);
+ /*
+ * If we haven't found the name yet, chances are that the algorithm to
+ * be fetched is unsupported.
+ */
+ if (id == 0)
+ unsupported = 1;
+
if (id == 0
|| !ossl_method_store_cache_get(store, id, properties, &method)) {
OSSL_METHOD_CONSTRUCT_METHOD mcm = {
@@ -292,6 +316,7 @@ static OSSL_STORE_LOADER *inner_loader_fetch(OSSL_LIB_CTX *libctx,
mcmdata.scheme_id = id;
mcmdata.scheme = scheme;
mcmdata.propquery = properties;
+ mcmdata.flag_construct_error_occured = 0;
if ((method = ossl_method_construct(libctx, OSSL_OP_STORE,
0 /* !force_cache */,
&mcm, &mcmdata)) != NULL) {
@@ -305,6 +330,24 @@ static OSSL_STORE_LOADER *inner_loader_fetch(OSSL_LIB_CTX *libctx,
ossl_method_store_cache_set(store, id, properties, method,
up_ref_loader, free_loader);
}
+
+ /*
+ * If we never were in the constructor, the algorithm to be fetched
+ * is unsupported.
+ */
+ unsupported = !mcmdata.flag_construct_error_occured;
+ }
+
+ if (method == NULL) {
+ int code = unsupported ? ERR_R_UNSUPPORTED : ERR_R_FETCH_FAILED;
+
+ if (scheme == NULL)
+ scheme = ossl_namemap_num2name(namemap, id, 0);
+ ERR_raise_data(ERR_LIB_OSSL_STORE, code,
+ "%s, Scheme (%s : %d), Properties (%s)",
+ ossl_lib_ctx_get_descriptor(libctx),
+ scheme = NULL ? "<null>" : scheme, id,
+ properties == NULL ? "<null>" : properties);
}
return method;
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
index eae10dfb6c..0267e3f82e 100644
--- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h
@@ -184,6 +184,7 @@ typedef void (ossl_lib_ctx_onfree_fn)(OSSL_LIB_CTX *ctx);
int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx,
ossl_lib_ctx_run_once_fn run_once_fn);
int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn);
+const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx);
OSSL_LIB_CTX *crypto_ex_data_get_ossl_lib_ctx(const CRYPTO_EX_DATA *ad);
int crypto_new_ex_data_ex(OSSL_LIB_CTX *ctx, int class_index, void *obj,
diff --git a/include/openssl/err.h.in b/include/openssl/err.h.in
index deb6117d82..697186a288 100644
--- a/include/openssl/err.h.in
+++ b/include/openssl/err.h.in
@@ -355,6 +355,8 @@ static ossl_unused ossl_inline int ERR_COMMON_ERROR(unsigned long errcode)
# define ERR_R_INTERRUPTED_OR_CANCELLED (265|ERR_RFLAG_COMMON)
# define ERR_R_NESTED_ASN1_ERROR (266|ERR_RFLAG_COMMON)
# define ERR_R_MISSING_ASN1_EOS (267|ERR_RFLAG_COMMON)
+# define ERR_R_UNSUPPORTED (268|ERR_RFLAG_COMMON)
+# define ERR_R_FETCH_FAILED (269|ERR_RFLAG_COMMON)
typedef struct ERR_string_data_st {
unsigned long error;
diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h
index 4e9989899f..c25cc49025 100644
--- a/include/openssl/evperr.h
+++ b/include/openssl/evperr.h
@@ -190,7 +190,6 @@
# define EVP_R_EXPECTING_A_EC_KEY 142
# define EVP_R_EXPECTING_A_POLY1305_KEY 164
# define EVP_R_EXPECTING_A_SIPHASH_KEY 175
-# define EVP_R_FETCH_FAILED 202
# define EVP_R_FINAL_ERROR 188
# define EVP_R_FIPS_MODE_NOT_SUPPORTED 167
# define EVP_R_GENERATE_ERROR 214
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
index d2721d354c..24bb156344 100644
--- a/include/openssl/sslerr.h
+++ b/include/openssl/sslerr.h
@@ -458,7 +458,6 @@
/*
* SSL reason codes.
*/
-# define SSL_R_ALGORITHM_FETCH_FAILED 295
# define SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY 291
# define SSL_R_APP_DATA_IN_HANDSHAKE 100
# define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
@@ -513,7 +512,6 @@
# define SSL_R_CERT_LENGTH_MISMATCH 135
# define SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED 218
# define SSL_R_CIPHER_CODE_WRONG_LENGTH 137
-# define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138
# define SSL_R_CLIENTHELLO_TLSEXT 226
# define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140
# define SSL_R_COMPRESSION_DISABLED 343
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index f1fb9dd987..02b0291dfa 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -251,7 +251,8 @@ int ssl3_setup_key_block(SSL *s)
if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, NULL, NULL, &comp,
0)) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
+ /* Error is already recorded */
+ SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
return 0;
}
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 39db31bee6..8aeef5ffb3 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -15,8 +15,6 @@
#ifndef OPENSSL_NO_ERR
static const ERR_STRING_DATA SSL_str_reasons[] = {
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ALGORITHM_FETCH_FAILED),
- "algorithm fetch failed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY),
"application data after close notify"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APP_DATA_IN_HANDSHAKE),
@@ -90,8 +88,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
"ciphersuite digest has changed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_CODE_WRONG_LENGTH),
"cipher code wrong length"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_OR_HASH_UNAVAILABLE),
- "cipher or hash unavailable"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CLIENTHELLO_TLSEXT), "clienthello tlsext"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSED_LENGTH_TOO_LONG),
"compressed length too long"},
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
index 009f370f97..a70f8bc53c 100644
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@@ -111,6 +111,18 @@ void ossl_statem_set_renegotiate(SSL *s)
s->statem.request_state = TLS_ST_SW_HELLO_REQ;
}
+void ossl_statem_send_fatal(SSL *s, int al)
+{
+ /* We shouldn't call SSLfatal() twice. Once is enough */
+ if (s->statem.in_init && s->statem.state == MSG_FLOW_ERROR)
+ return;
+ s->statem.in_init = 1;
+ s->statem.state = MSG_FLOW_ERROR;
+ if (al != SSL_AD_NO_ALERT
+ && s->statem.enc_write_state != ENC_WRITE_STATE_INVALID)
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
+}
+
/*
* Error reporting building block that's used instead of ERR_set_error().
* In addition to what ERR_set_error() does, this puts the state machine
@@ -125,14 +137,7 @@ void ossl_statem_fatal(SSL *s, int al, int reason, const char *fmt, ...)
ERR_vset_error(ERR_LIB_SSL, reason, fmt, args);
va_end(args);
- /* We shouldn't call SSLfatal() twice. Once is enough */
- if (s->statem.in_init && s->statem.state == MSG_FLOW_ERROR)
- return;
- s->statem.in_init = 1;
- s->statem.state = MSG_FLOW_ERROR;
- if (al != SSL_AD_NO_ALERT
- && s->statem.enc_write_state != ENC_WRITE_STATE_INVALID)
- ssl3_send_alert(s, SSL3_AL_FATAL, al);
+ ossl_statem_send_fatal(s, al);
}
/*
diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h
index 72d10dffcf..d435cfe704 100644
--- a/ssl/statem/statem.h
+++ b/ssl/statem/statem.h
@@ -132,8 +132,10 @@ __owur int ossl_statem_accept(SSL *s);
__owur int ossl_statem_connect(SSL *s);
void ossl_statem_clear(SSL *s);
void ossl_statem_set_renegotiate(SSL *s);
+void ossl_statem_send_fatal(SSL *s, int al);
void ossl_statem_fatal(SSL *s, int al, int reason, const char *fmt, ...);
# define SSL_AD_NO_ALERT -1
+# define SSLfatal_alert(s, al) ossl_statem_send_fatal((s), (al))
# define SSLfatal(s, al, r) SSLfatal_data((s), (al), (r), NULL)
# define SSLfatal_data \
(ERR_new(), \
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 875ea59589..045db8265e 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2557,7 +2557,8 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
*/
sha256 = EVP_MD_fetch(s->ctx->libctx, "SHA2-256", s->ctx->propq);
if (sha256 == NULL) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_ALGORITHM_FETCH_FAILED);
+ /* Error is already recorded */
+ SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
goto err;
}
/*
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index cc09a23960..597456ae83 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3776,7 +3776,8 @@ static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add,
s->ctx->propq);
if (cipher == NULL) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_ALGORITHM_FETCH_FAILED);
+ /* Error is already recorded */
+ SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
goto err;
}
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 8a403a1e14..b02961e0eb 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -539,7 +539,8 @@ int tls1_setup_key_block(SSL *s)
if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, &mac_type,
&mac_secret_size, &comp, s->ext.use_etm)) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
+ /* Error is already recorded */
+ SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
return 0;
}
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index c53d374b69..62adddea26 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -383,7 +383,8 @@ int tls13_setup_key_block(SSL *s)
s->session->cipher = s->s3.tmp.new_cipher;
if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, NULL, NULL, NULL,
0)) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
+ /* Error is already recorded */
+ SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
return 0;
}
@@ -595,8 +596,8 @@ int tls13_change_cipher_state(SSL *s, int which)
* it again
*/
if (!ssl_cipher_get_evp_cipher(s->ctx, sslcipher, &cipher)) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_R_ALGORITHM_FETCH_FAILED);
+ /* Error is already recorded */
+ SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
EVP_MD_CTX_free(mdctx);
goto err;
}
diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c
index 9dab53baf6..9d80fe5fc4 100644
--- a/test/tls13secretstest.c
+++ b/test/tls13secretstest.c
@@ -198,6 +198,10 @@ const EVP_MD *ssl_md(SSL_CTX *ctx, int idx)
return EVP_sha256();
}
+void ossl_statem_send_fatal(SSL *s, int al)
+{
+}
+
void ossl_statem_fatal(SSL *s, int al, int reason, const char *fmt, ...)
{
}
More information about the openssl-commits
mailing list