From: Matt Caswell Date: Fri, 12 Aug 2022 12:27:21 +0000 (+0100) Subject: Use an enum for the return value from a construction function X-Git-Tag: openssl-3.2.0-alpha1~2064 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67ec6d2b747810db609330003dcf08c8c584105b;p=thirdparty%2Fopenssl.git Use an enum for the return value from a construction function Construction return values are no longer boolean but can return 3 different values, so we use an enum to represent them. Reviewed-by: Viktor Dukhovni Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/18990) --- diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index ad227d2a9fd..b885214f3c2 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -806,11 +806,11 @@ static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s) WORK_STATE(*pre_work) (SSL_CONNECTION *s, WORK_STATE wst); WORK_STATE(*post_work) (SSL_CONNECTION *s, WORK_STATE wst); int (*get_construct_message_f) (SSL_CONNECTION *s, - int (**confunc) (SSL_CONNECTION *s, - WPACKET *pkt), + CON_FUNC_RETURN (**confunc) (SSL_CONNECTION *s, + WPACKET *pkt), int *mt); void (*cb) (const SSL *ssl, int type, int val) = NULL; - int (*confunc) (SSL_CONNECTION *s, WPACKET *pkt); + CON_FUNC_RETURN (*confunc) (SSL_CONNECTION *s, WPACKET *pkt); int mt; WPACKET pkt; SSL *ssl = SSL_CONNECTION_GET_SSL(s); @@ -889,14 +889,14 @@ static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s) return SUB_STATE_ERROR; } if (confunc != NULL) { - int tmpret; + CON_FUNC_RETURN tmpret; tmpret = confunc(s, &pkt); - if (tmpret <= 0) { + if (tmpret == CON_FUNC_ERROR) { WPACKET_cleanup(&pkt); check_fatal(s); return SUB_STATE_ERROR; - } else if (tmpret == 2) { + } else if (tmpret == CON_FUNC_DONT_SEND) { /* * The construction function decided not to construct the * message after all and continue. Skip sending. diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h index 75fb06481c0..28ef97922e6 100644 --- a/ssl/statem/statem.h +++ b/ssl/statem/statem.h @@ -80,6 +80,12 @@ typedef enum { ENC_WRITE_STATE_WRITE_PLAIN_ALERTS } ENC_WRITE_STATES; +typedef enum { + CON_FUNC_ERROR = 0, + CON_FUNC_SUCCESS, + CON_FUNC_DONT_SEND +} CON_FUNC_RETURN; + /***************************************************************************** * * * This structure should be considered "opaque" to anything outside of the * diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 1bccd6b27c8..3d00386129b 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1098,7 +1098,7 @@ WORK_STATE ossl_statem_client_post_process_message(SSL_CONNECTION *s, } } -int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) { unsigned char *p; size_t sess_id_len; @@ -1114,7 +1114,7 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) protverr = ssl_set_client_hello_version(s); if (protverr != 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, protverr); - return 0; + return CON_FUNC_ERROR; } if (sess == NULL @@ -1123,7 +1123,7 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) if (s->hello_retry_request == SSL_HRR_NONE && !ssl_get_new_session(s, 0)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } } /* else use the pre-loaded session */ @@ -1150,7 +1150,7 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random), DOWNGRADE_NONE) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } /*- @@ -1189,7 +1189,7 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) if (!WPACKET_put_bytes_u16(pkt, s->client_version) || !WPACKET_memcpy(pkt, s->s3.client_random, SSL3_RANDOM_SIZE)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } /* Session ID */ @@ -1204,7 +1204,7 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) && RAND_bytes_ex(sctx->libctx, s->tmp_session_id, sess_id_len, 0) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } } else { sess_id_len = 0; @@ -1222,7 +1222,7 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) sess_id_len)) || !WPACKET_close(pkt)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } /* cookie stuff for DTLS */ @@ -1231,30 +1231,30 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie, s->d1->cookie_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } } /* Ciphers supported */ if (!WPACKET_start_sub_packet_u16(pkt)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s)), pkt)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } if (!WPACKET_close(pkt)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } /* COMPRESSION */ if (!WPACKET_start_sub_packet_u8(pkt)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } #ifndef OPENSSL_NO_COMP if (ssl_allow_compression(s) @@ -1266,7 +1266,7 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) comp = sk_SSL_COMP_value(sctx->comp_methods, i); if (!WPACKET_put_bytes_u8(pkt, comp->id)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } } } @@ -1274,16 +1274,16 @@ int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) /* Add the NULL method */ if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } /* TLS extensions */ if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } - return 1; + return CON_FUNC_SUCCESS; } MSG_PROCESS_RETURN dtls_process_hello_verify(SSL_CONNECTION *s, PACKET *pkt) @@ -3315,7 +3315,8 @@ static int tls_construct_cke_srp(SSL_CONNECTION *s, WPACKET *pkt) #endif } -int tls_construct_client_key_exchange(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_client_key_exchange(SSL_CONNECTION *s, + WPACKET *pkt) { unsigned long alg_k; @@ -3352,7 +3353,7 @@ int tls_construct_client_key_exchange(SSL_CONNECTION *s, WPACKET *pkt) goto err; } - return 1; + return CON_FUNC_SUCCESS; err: OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen); s->s3.tmp.pms = NULL; @@ -3362,7 +3363,7 @@ int tls_construct_client_key_exchange(SSL_CONNECTION *s, WPACKET *pkt) s->s3.tmp.psk = NULL; s->s3.tmp.psklen = 0; #endif - return 0; + return CON_FUNC_ERROR; } int tls_client_key_exchange_post_work(SSL_CONNECTION *s) @@ -3538,7 +3539,8 @@ WORK_STATE tls_prepare_client_certificate(SSL_CONNECTION *s, WORK_STATE wst) return WORK_ERROR; } -int tls_construct_client_certificate(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s, + WPACKET *pkt) { SSL *ssl = SSL_CONNECTION_GET_SSL(s); @@ -3547,18 +3549,18 @@ int tls_construct_client_certificate(SSL_CONNECTION *s, WPACKET *pkt) /* no context available, add 0-length context */ if (!WPACKET_put_bytes_u8(pkt, 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } } if (!ssl3_output_cert_chain(s, pkt, (s->s3.tmp.cert_req == 2) ? NULL : s->cert->key)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } if (SSL_CONNECTION_IS_TLS13(s) @@ -3570,10 +3572,10 @@ int tls_construct_client_certificate(SSL_CONNECTION *s, WPACKET *pkt) * state and thus ssl3_send_alert may crash. */ SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER); - return 0; + return CON_FUNC_ERROR; } - return 1; + return CON_FUNC_SUCCESS; } int ssl3_check_cert_and_algorithm(SSL_CONNECTION *s) @@ -3620,7 +3622,7 @@ int ssl3_check_cert_and_algorithm(SSL_CONNECTION *s) } #ifndef OPENSSL_NO_NEXTPROTONEG -int tls_construct_next_proto(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_next_proto(SSL_CONNECTION *s, WPACKET *pkt) { size_t len, padding_len; unsigned char *padding = NULL; @@ -3631,12 +3633,12 @@ int tls_construct_next_proto(SSL_CONNECTION *s, WPACKET *pkt) if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len) || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } memset(padding, 0, padding_len); - return 1; + return CON_FUNC_SUCCESS; } #endif @@ -3820,14 +3822,14 @@ int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk, return 1; } -int tls_construct_end_of_early_data(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_end_of_early_data(SSL_CONNECTION *s, WPACKET *pkt) { if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + return CON_FUNC_ERROR; } s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; - return 1; + return CON_FUNC_SUCCESS; } diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c index c9b17bb22bf..4fa70be723e 100644 --- a/ssl/statem/statem_dtls.c +++ b/ssl/statem/statem_dtls.c @@ -927,18 +927,19 @@ static int dtls_get_reassembled_message(SSL_CONNECTION *s, int *errtype, * ssl->session->read_compression assign * ssl->session->read_hash assign */ -int dtls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN dtls_construct_change_cipher_spec(SSL_CONNECTION *s, + WPACKET *pkt) { if (s->version == DTLS1_BAD_VER) { s->d1->next_handshake_write_seq++; if (!WPACKET_put_bytes_u16(pkt, s->d1->handshake_write_seq)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } } - return 1; + return CON_FUNC_SUCCESS; } #ifndef OPENSSL_NO_SCTP diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index ea49d71de5f..bfc8c1cac9b 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -268,7 +268,7 @@ static int get_cert_verify_tbs_data(SSL_CONNECTION *s, unsigned char *tls13tbs, return 1; } -int tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt) { EVP_PKEY *pkey = NULL; const EVP_MD *md = NULL; @@ -386,11 +386,11 @@ int tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt) OPENSSL_free(sig); EVP_MD_CTX_free(mctx); - return 1; + return CON_FUNC_SUCCESS; err: OPENSSL_free(sig); EVP_MD_CTX_free(mctx); - return 0; + return CON_FUNC_ERROR; } MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt) @@ -561,7 +561,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt) return ret; } -int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) { size_t finish_md_len; const char *sender; @@ -582,7 +582,7 @@ int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) && (!ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {; /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } if (s->server) { @@ -598,14 +598,14 @@ int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) s->s3.tmp.finish_md); if (finish_md_len == 0) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } s->s3.tmp.finish_md_len = finish_md_len; if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } /* @@ -616,7 +616,7 @@ int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) && !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key, s->session->master_key_length)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } /* @@ -624,7 +624,7 @@ int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) */ if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } if (!s->server) { memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md, @@ -636,18 +636,18 @@ int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) s->s3.previous_server_finished_len = finish_md_len; } - return 1; + return CON_FUNC_SUCCESS; } -int tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt) { if (!WPACKET_put_bytes_u8(pkt, s->key_update)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } s->key_update = SSL_KEY_UPDATE_NONE; - return 1; + return CON_FUNC_SUCCESS; } MSG_PROCESS_RETURN tls_process_key_update(SSL_CONNECTION *s, PACKET *pkt) @@ -896,14 +896,14 @@ MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt) return MSG_PROCESS_FINISHED_READING; } -int tls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt) { if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } - return 1; + return CON_FUNC_SUCCESS; } /* Add a certificate to the WPACKET */ diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h index 22b6ddb584d..be28c930b8b 100644 --- a/ssl/statem/statem_local.h +++ b/ssl/statem/statem_local.h @@ -54,7 +54,7 @@ typedef enum { MSG_PROCESS_CONTINUE_READING } MSG_PROCESS_RETURN; -typedef int (*confunc_f) (SSL_CONNECTION *s, WPACKET *pkt); +typedef CON_FUNC_RETURN (*confunc_f) (SSL_CONNECTION *s, WPACKET *pkt); int ssl3_take_mac(SSL_CONNECTION *s); int check_in_list(SSL_CONNECTION *s, uint16_t group_id, const uint16_t *groups, @@ -111,11 +111,13 @@ __owur int tls_process_initial_server_flight(SSL_CONNECTION *s); __owur MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL_CONNECTION *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt); -__owur int tls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt); -__owur int dtls_construct_change_cipher_spec(SSL_CONNECTION *s, WPACKET *pkt); +__owur CON_FUNC_RETURN tls_construct_change_cipher_spec(SSL_CONNECTION *s, + WPACKET *pkt); +__owur CON_FUNC_RETURN dtls_construct_change_cipher_spec(SSL_CONNECTION *s, + WPACKET *pkt); -__owur int tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt); -__owur int tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt); +__owur CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt); +__owur CON_FUNC_RETURN tls_construct_key_update(SSL_CONNECTION *s, WPACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_key_update(SSL_CONNECTION *s, PACKET *pkt); __owur WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, WORK_STATE wst, @@ -123,7 +125,8 @@ __owur WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, WORK_STATE wst, __owur WORK_STATE dtls_wait_for_dry(SSL_CONNECTION *s); /* some client-only functions */ -__owur int tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt); +__owur CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, + WPACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s, @@ -135,16 +138,20 @@ __owur MSG_PROCESS_RETURN tls_process_cert_status(SSL_CONNECTION *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_server_done(SSL_CONNECTION *s, PACKET *pkt); -__owur int tls_construct_cert_verify(SSL_CONNECTION *s, WPACKET *pkt); +__owur CON_FUNC_RETURN tls_construct_cert_verify(SSL_CONNECTION *s, + WPACKET *pkt); __owur WORK_STATE tls_prepare_client_certificate(SSL_CONNECTION *s, WORK_STATE wst); -__owur int tls_construct_client_certificate(SSL_CONNECTION *s, WPACKET *pkt); +__owur CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s, + WPACKET *pkt); __owur int ssl_do_client_cert_cb(SSL_CONNECTION *s, X509 **px509, EVP_PKEY **ppkey); -__owur int tls_construct_client_key_exchange(SSL_CONNECTION *s, WPACKET *pkt); +__owur CON_FUNC_RETURN tls_construct_client_key_exchange(SSL_CONNECTION *s, + WPACKET *pkt); __owur int tls_client_key_exchange_post_work(SSL_CONNECTION *s); __owur int tls_construct_cert_status_body(SSL_CONNECTION *s, WPACKET *pkt); -__owur int tls_construct_cert_status(SSL_CONNECTION *s, WPACKET *pkt); +__owur CON_FUNC_RETURN tls_construct_cert_status(SSL_CONNECTION *s, + WPACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_key_exchange(SSL_CONNECTION *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_server_certificate(SSL_CONNECTION *s, @@ -153,23 +160,30 @@ __owur WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, WORK_STATE wst); __owur int ssl3_check_cert_and_algorithm(SSL_CONNECTION *s); #ifndef OPENSSL_NO_NEXTPROTONEG -__owur int tls_construct_next_proto(SSL_CONNECTION *s, WPACKET *pkt); +__owur CON_FUNC_RETURN tls_construct_next_proto(SSL_CONNECTION *s, WPACKET *pkt); #endif __owur MSG_PROCESS_RETURN tls_process_hello_req(SSL_CONNECTION *s, PACKET *pkt); __owur MSG_PROCESS_RETURN dtls_process_hello_verify(SSL_CONNECTION *s, PACKET *pkt); -__owur int tls_construct_end_of_early_data(SSL_CONNECTION *s, WPACKET *pkt); +__owur CON_FUNC_RETURN tls_construct_end_of_early_data(SSL_CONNECTION *s, + WPACKET *pkt); /* some server-only functions */ __owur MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt); __owur WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst); -__owur int tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt); -__owur int dtls_construct_hello_verify_request(SSL_CONNECTION *s, WPACKET *pkt); -__owur int tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt); -__owur int tls_construct_server_key_exchange(SSL_CONNECTION *s, WPACKET *pkt); -__owur int tls_construct_certificate_request(SSL_CONNECTION *s, WPACKET *pkt); -__owur int tls_construct_server_done(SSL_CONNECTION *s, WPACKET *pkt); +__owur CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, + WPACKET *pkt); +__owur CON_FUNC_RETURN dtls_construct_hello_verify_request(SSL_CONNECTION *s, + WPACKET *pkt); +__owur CON_FUNC_RETURN tls_construct_server_certificate(SSL_CONNECTION *s, + WPACKET *pkt); +__owur CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, + WPACKET *pkt); +__owur CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s, + WPACKET *pkt); +__owur CON_FUNC_RETURN tls_construct_server_done(SSL_CONNECTION *s, + WPACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, PACKET *pkt); __owur MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL_CONNECTION *s, @@ -182,7 +196,8 @@ __owur MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, __owur MSG_PROCESS_RETURN tls_process_next_proto(SSL_CONNECTION *s, PACKET *pkt); #endif -__owur int tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt); +__owur CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, + WPACKET *pkt); MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL_CONNECTION *s, PACKET *pkt); diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index cafc18ef547..e56ccfd5536 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -43,7 +43,8 @@ ASN1_SEQUENCE(GOST_KX_MESSAGE) = { IMPLEMENT_ASN1_FUNCTIONS(GOST_KX_MESSAGE) -static int tls_construct_encrypted_extensions(SSL_CONNECTION *s, WPACKET *pkt); +static CON_FUNC_RETURN tls_construct_encrypted_extensions(SSL_CONNECTION *s, + WPACKET *pkt); /* * ossl_statem_server13_read_transition() encapsulates the logic for the allowed @@ -1291,7 +1292,8 @@ int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie, return 1; } -int dtls_construct_hello_verify_request(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN dtls_construct_hello_verify_request(SSL_CONNECTION *s, + WPACKET *pkt) { unsigned int cookie_leni; SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); @@ -1301,17 +1303,17 @@ int dtls_construct_hello_verify_request(SSL_CONNECTION *s, WPACKET *pkt) &cookie_leni) == 0 || cookie_leni > DTLS1_COOKIE_LENGTH) { SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_COOKIE_GEN_CALLBACK_FAILURE); - return 0; + return CON_FUNC_ERROR; } s->d1->cookie_len = cookie_leni; if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie, s->d1->cookie_len)) { SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } - return 1; + return CON_FUNC_SUCCESS; } /*- @@ -2318,7 +2320,7 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst) return WORK_ERROR; } -int tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) { int compm; size_t sl, len; @@ -2338,7 +2340,7 @@ int tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) ? hrrrandom : s->s3.server_random, SSL3_RANDOM_SIZE)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } /*- @@ -2374,7 +2376,7 @@ int tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) if (sl > sizeof(s->session->session_id)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } /* set up the compression method */ @@ -2392,7 +2394,7 @@ int tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) pkt, &len) || !WPACKET_put_bytes_u8(pkt, compm)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } if (!tls_construct_extensions(s, pkt, @@ -2403,7 +2405,7 @@ int tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) : SSL_EXT_TLS1_2_SERVER_HELLO), NULL, 0)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } if (s->hello_retry_request == SSL_HRR_PENDING) { @@ -2418,29 +2420,30 @@ int tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) */ if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } } else if (!(s->verify_mode & SSL_VERIFY_PEER) && !ssl3_digest_cached_records(s, 0)) { /* SSLfatal() already called */; - return 0; + return CON_FUNC_ERROR; } - return 1; + return CON_FUNC_SUCCESS; } -int tls_construct_server_done(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_server_done(SSL_CONNECTION *s, WPACKET *pkt) { if (!s->s3.tmp.cert_request) { if (!ssl3_digest_cached_records(s, 0)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } } - return 1; + return CON_FUNC_SUCCESS; } -int tls_construct_server_key_exchange(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, + WPACKET *pkt) { EVP_PKEY *pkdh = NULL; unsigned char *encodedPoint = NULL; @@ -2453,7 +2456,8 @@ int tls_construct_server_key_exchange(SSL_CONNECTION *s, WPACKET *pkt) EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); EVP_PKEY_CTX *pctx = NULL; size_t paramlen, paramoffset; - int freer = 0, ret = 0; + int freer = 0; + CON_FUNC_RETURN ret = CON_FUNC_ERROR; SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); if (!WPACKET_get_total_written(pkt, ¶moffset)) { @@ -2735,7 +2739,7 @@ int tls_construct_server_key_exchange(SSL_CONNECTION *s, WPACKET *pkt) OPENSSL_free(tbs); } - ret = 1; + ret = CON_FUNC_SUCCESS; err: EVP_PKEY_free(pkdh); OPENSSL_free(encodedPoint); @@ -2749,7 +2753,8 @@ int tls_construct_server_key_exchange(SSL_CONNECTION *s, WPACKET *pkt) return ret; } -int tls_construct_certificate_request(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s, + WPACKET *pkt) { if (SSL_CONNECTION_IS_TLS13(s)) { /* Send random context when doing post-handshake auth */ @@ -2759,24 +2764,24 @@ int tls_construct_certificate_request(SSL_CONNECTION *s, WPACKET *pkt) if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL) { s->pha_context_len = 0; SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } if (RAND_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx, s->pha_context, s->pha_context_len, 0) <= 0 || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } /* reset the handshake hash back to just after the ClientFinished */ if (!tls13_restore_handshake_digest_for_pha(s)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } } else { if (!WPACKET_put_bytes_u8(pkt, 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } } @@ -2784,7 +2789,7 @@ int tls_construct_certificate_request(SSL_CONNECTION *s, WPACKET *pkt) SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL, 0)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } goto done; } @@ -2793,7 +2798,7 @@ int tls_construct_certificate_request(SSL_CONNECTION *s, WPACKET *pkt) if (!WPACKET_start_sub_packet_u8(pkt) || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } if (SSL_USE_SIGALGS(s)) { @@ -2805,19 +2810,19 @@ int tls_construct_certificate_request(SSL_CONNECTION *s, WPACKET *pkt) || !tls12_copy_sigalgs(s, pkt, psigs, nl) || !WPACKET_close(pkt)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } } if (!construct_ca_names(s, get_ca_names(s), pkt)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } done: s->certreqs_sent++; s->s3.tmp.cert_request = 1; - return 1; + return CON_FUNC_SUCCESS; } static int tls_process_cke_psk_preamble(SSL_CONNECTION *s, PACKET *pkt) @@ -3628,13 +3633,13 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, return ret; } -int tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt) { CERT_PKEY *cpk = s->s3.tmp.cert; if (cpk == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } /* @@ -3643,14 +3648,14 @@ int tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt) */ if (SSL_CONNECTION_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + return CON_FUNC_ERROR; } if (!ssl3_output_cert_chain(s, pkt, cpk)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } - return 1; + return CON_FUNC_SUCCESS; } static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt, @@ -3696,13 +3701,10 @@ static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt, return 1; } -/* - * Returns 1 on success, 0 to abort construction of the ticket (non-fatal), or - * -1 on fatal error - */ -static int construct_stateless_ticket(SSL_CONNECTION *s, WPACKET *pkt, - uint32_t age_add, - unsigned char *tick_nonce) +static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, + WPACKET *pkt, + uint32_t age_add, + unsigned char *tick_nonce) { unsigned char *senc = NULL; EVP_CIPHER_CTX *ctx = NULL; @@ -3715,7 +3717,8 @@ static int construct_stateless_ticket(SSL_CONNECTION *s, WPACKET *pkt, SSL_CTX *tctx = s->session_ctx; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char key_name[TLSEXT_KEYNAME_LENGTH]; - int iv_len, ok = -1; + int iv_len; + CON_FUNC_RETURN ok = CON_FUNC_ERROR; size_t macoffset, macendoffset; SSL *ssl = SSL_CONNECTION_GET_SSL(s); SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); @@ -3804,7 +3807,7 @@ static int construct_stateless_ticket(SSL_CONNECTION *s, WPACKET *pkt, * ticket */ if (SSL_CONNECTION_IS_TLS13(s)) { - ok = 0; + ok = CON_FUNC_DONT_SEND; goto err; } /* Put timeout and length */ @@ -3816,7 +3819,7 @@ static int construct_stateless_ticket(SSL_CONNECTION *s, WPACKET *pkt, OPENSSL_free(senc); EVP_CIPHER_CTX_free(ctx); ssl_hmac_free(hctx); - return 1; + return CON_FUNC_SUCCESS; } if (ret < 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED); @@ -3893,7 +3896,7 @@ static int construct_stateless_ticket(SSL_CONNECTION *s, WPACKET *pkt, goto err; } - ok = 1; + ok = CON_FUNC_SUCCESS; err: OPENSSL_free(senc); EVP_CIPHER_CTX_free(ctx); @@ -3934,7 +3937,7 @@ static void tls_update_ticket_counts(SSL_CONNECTION *s) s->ext.extra_tickets_expected--; } -int tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt) { SSL_CTX *tctx = s->session_ctx; unsigned char tick_nonce[TICKET_NONCE_SIZE]; @@ -3942,7 +3945,7 @@ int tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt) unsigned char age_add_c[sizeof(uint32_t)]; uint32_t age_add; } age_add_u; - int ret = 0; + CON_FUNC_RETURN ret = CON_FUNC_ERROR; age_add_u.age_add = 0; @@ -4042,13 +4045,14 @@ int tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt) goto err; } } else { - int tmpret; + CON_FUNC_RETURN tmpret; tmpret = construct_stateless_ticket(s, pkt, age_add_u.age_add, tick_nonce); - if (tmpret != 1) { - if (tmpret == 0) { - ret = 2; /* Non-fatal. Abort construction but continue */ + if (tmpret != CON_FUNC_SUCCESS) { + if (tmpret == CON_FUNC_DONT_SEND) { + /* Non-fatal. Abort construction but continue */ + ret = CON_FUNC_DONT_SEND; /* We count this as a success so update the counts anwyay */ tls_update_ticket_counts(s); } @@ -4068,7 +4072,7 @@ int tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt) ssl_update_cache(s, SSL_SESS_CACHE_SERVER); } - ret = 1; + ret = CON_FUNC_SUCCESS; err: return ret; } @@ -4089,14 +4093,14 @@ int tls_construct_cert_status_body(SSL_CONNECTION *s, WPACKET *pkt) return 1; } -int tls_construct_cert_status(SSL_CONNECTION *s, WPACKET *pkt) +CON_FUNC_RETURN tls_construct_cert_status(SSL_CONNECTION *s, WPACKET *pkt) { if (!tls_construct_cert_status_body(s, pkt)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } - return 1; + return CON_FUNC_SUCCESS; } #ifndef OPENSSL_NO_NEXTPROTONEG @@ -4135,15 +4139,16 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL_CONNECTION *s, PACKET *pkt) } #endif -static int tls_construct_encrypted_extensions(SSL_CONNECTION *s, WPACKET *pkt) +static CON_FUNC_RETURN tls_construct_encrypted_extensions(SSL_CONNECTION *s, + WPACKET *pkt) { if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, NULL, 0)) { /* SSLfatal() already called */ - return 0; + return CON_FUNC_ERROR; } - return 1; + return CON_FUNC_SUCCESS; } MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL_CONNECTION *s, PACKET *pkt)