From: Matt Caswell <matt@openssl.org>
Date: Mon, 11 Sep 2023 12:55:41 +0000 (+0100)
Subject: Ensure QUIC-TLS errors raised during channel start are available to caller
X-Git-Tag: openssl-3.2.0-alpha2~86
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=982dae89d8d19fcb9cc2c3b8ba74afef352ecc41;p=thirdparty%2Fopenssl.git

Ensure QUIC-TLS errors raised during channel start are available to caller

TLS misconfiguration errors should be shown to the application to enable
diagnosis of the problem. Otherwise you just get a generical "internal
error" message.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22066)
---

diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c
index ce938b70f06..7504f06dfc0 100644
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@@ -44,6 +44,7 @@
  */
 #define DEFAULT_MAX_ACK_DELAY   QUIC_DEFAULT_MAX_ACK_DELAY
 
+static void ch_save_err_state(QUIC_CHANNEL *ch);
 static void ch_rx_pre(QUIC_CHANNEL *ch);
 static int ch_rx(QUIC_CHANNEL *ch);
 static int ch_tx(QUIC_CHANNEL *ch);
@@ -2702,6 +2703,10 @@ int ossl_quic_channel_set_net_wbio(QUIC_CHANNEL *ch, BIO *net_wbio)
  */
 int ossl_quic_channel_start(QUIC_CHANNEL *ch)
 {
+    uint64_t error_code;
+    const char *error_msg;
+    ERR_STATE *error_state = NULL;
+
     if (ch->is_server)
         /*
          * This is not used by the server. The server moves to active
@@ -2730,8 +2735,14 @@ int ossl_quic_channel_start(QUIC_CHANNEL *ch)
     ch->doing_proactive_ver_neg = 0; /* not currently supported */
 
     /* Handshake layer: start (e.g. send CH). */
-    if (!ossl_quic_tls_tick(ch->qtls))
+    ossl_quic_tls_tick(ch->qtls);
+
+    if (ossl_quic_tls_get_error(ch->qtls, &error_code, &error_msg,
+                                &error_state)) {
+        ossl_quic_channel_raise_protocol_error_state(ch, error_code, 0,
+                                                     error_msg, error_state);
         return 0;
+    }
 
     ossl_quic_reactor_tick(&ch->rtor, 0); /* best effort */
     return 1;
diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index b632ad22db2..beec26c019c 100644
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -1524,6 +1524,7 @@ static int ensure_channel_started(QCTX *ctx)
         }
 
         if (!ossl_quic_channel_start(qc->ch)) {
+            ossl_quic_channel_restore_err_state(qc->ch);
             QUIC_RAISE_NON_NORMAL_ERROR(ctx, ERR_R_INTERNAL_ERROR,
                                         "failed to start channel");
             return 0;