Add alert processing in tls client code, by adding alert to the

tls13 context, and emiting the alert at the upper layers when
the lower level code fails

ok jsing@, tb@

3 files changed, 30 insertions, 19 deletions

diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c
index 07b9ede3454..b842cbd39cb 100644
--- a/lib/libssl/tls13_client.c
+++ b/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.20 2020/01/20 13:10:37 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.21 2020/01/21 03:40:05 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -241,8 +241,8 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 	uint16_t cipher_suite, legacy_version;
 	uint8_t compression_method;
 	const SSL_CIPHER *cipher;
+	int alert_desc;
 	SSL *s = ctx->ssl;
-	int alert;
 
 	if (!CBS_get_u16(cbs, &legacy_version))
 		goto err;
@@ -258,8 +258,10 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 	if (tls13_server_hello_is_legacy(cbs))
 		return tls13_use_legacy_client(ctx);
 
-	if (!tlsext_client_parse(s, cbs, &alert, SSL_TLSEXT_MSG_SH))
+	if (!tlsext_client_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_SH)) {
+		ctx->alert = alert_desc;
 		goto err;
+	}
 
 	if (CBS_len(cbs) != 0)
 		goto err;
@@ -273,14 +275,14 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 	 */
 	if (ctx->hs->server_version != 0) {
 		if (legacy_version != TLS1_2_VERSION) {
-			/* XXX - alert. */
+			ctx->alert = SSL_AD_PROTOCOL_VERSION;
 			goto err;
 		}
 	} else {
 		if (legacy_version < ctx->hs->min_version ||
 		    legacy_version > ctx->hs->max_version ||
 		    legacy_version > TLS1_2_VERSION) {
-			/* XXX - alert. */
+			ctx->alert = SSL_AD_PROTOCOL_VERSION;
 			goto err;
 		}
 		ctx->hs->server_version = legacy_version;
@@ -295,19 +297,19 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 	cipher = ssl3_get_cipher_by_value(cipher_suite);
 	if (cipher == NULL ||
 	    sk_SSL_CIPHER_find(ssl_get_ciphers_by_id(s), cipher) < 0) {
-		/* XXX - alert. */
+		ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
 		goto err;
 	}
 	if (ctx->hs->server_version == TLS1_3_VERSION &&
 	    cipher->algorithm_ssl != SSL_TLSV1_3) {
-		/* XXX - alert. */
+		ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
 		goto err;
 	}
 	/* XXX - move this to hs_tls13? */
 	S3I(s)->hs.new_cipher = cipher;
 
 	if (compression_method != 0) {
-		/* XXX - alert. */
+		ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
 		goto err;
 	}
 
@@ -318,8 +320,8 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 	return 1;
 
  err:
-	/* XXX - send alert. */
-
+	if (ctx->alert == 0)
+		ctx->alert = TLS1_AD_DECODE_ERROR;
 	return 0;
 }
 
@@ -407,14 +409,16 @@ tls13_server_hello_recv(struct tls13_ctx *ctx)
 int
 tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx)
 {
-	int alert;
 	CBS cbs;
+	int alert_desc;
 
 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
 		goto err;
 
-	if (!tlsext_client_parse(ctx->ssl, &cbs, &alert, SSL_TLSEXT_MSG_EE))
+	if (!tlsext_client_parse(ctx->ssl, &cbs, &alert_desc, SSL_TLSEXT_MSG_EE)) {
+		ctx->alert = alert_desc;
 		goto err;
+	}
 
 	if (CBS_len(&cbs) != 0)
 		goto err;
@@ -422,8 +426,8 @@ tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx)
 	return 1;
 
  err:
-	/* XXX - send alert. */
-
+	if (ctx->alert == 0)
+		ctx->alert = TLS1_AD_DECODE_ERROR;
 	return 0;
 }
 
@@ -627,13 +631,14 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx)
 		goto err;
 	if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
 	    CBS_len(&signature)) <= 0) {
-		/* XXX - send alert. */
 		goto err;
 	}
 
 	ret = 1;
 
  err:
+	if (!ret)
+		ctx->alert = TLS1_AD_DECODE_ERROR;
 	CBB_cleanup(&cbb);
 	EVP_MD_CTX_free(mdctx);
 	free(sig_content);
@@ -688,7 +693,7 @@ tls13_server_finished_recv(struct tls13_ctx *ctx)
 		goto err;
 
 	if (!CBS_mem_equal(&cbs, verify_data, verify_data_len)) {
-		/* XXX - send alert. */
+		ctx->alert = TLS1_AD_DECRYPTION_FAILED;
 		goto err;
 	}
 
diff --git a/lib/libssl/tls13_handshake.c b/lib/libssl/tls13_handshake.c
index c86187caec5..48a01d3ca4e 100644
--- a/lib/libssl/tls13_handshake.c
+++ b/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tls13_handshake.c,v 1.37 2020/01/20 22:04:17 beck Exp $	*/
+/*	$OpenBSD: tls13_handshake.c,v 1.38 2020/01/21 03:40:05 beck Exp $	*/
 /*
  * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -291,7 +291,8 @@ tls13_handshake_perform(struct tls13_ctx *ctx)
 			ctx->handshake_completed = 1;
 			tls13_record_layer_handshake_completed(ctx->rl);
 			return TLS13_IO_SUCCESS;
-		}
+		} else if (ctx->alert)
+			return tls13_send_alert(ctx->rl, ctx->alert);
 
 		if (action->sender == ctx->mode) {
 			if ((ret = tls13_handshake_send_action(ctx, action)) <= 0)
@@ -329,6 +330,8 @@ tls13_handshake_send_action(struct tls13_ctx *ctx,
 		/* XXX - provide CBB. */
 		if (!action->send(ctx))
 			return TLS13_IO_FAILURE;
+		else if (ctx->alert)
+			return tls13_send_alert(ctx->rl, ctx->alert);
 	}
 
 	if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0)
@@ -389,6 +392,8 @@ tls13_handshake_recv_action(struct tls13_ctx *ctx,
 	ret = TLS13_IO_FAILURE;
 	if (action->recv(ctx))
 		ret = TLS13_IO_SUCCESS;
+	else if (ctx->alert)
+		ret = tls13_send_alert(ctx->rl, ctx->alert);
 
 	tls13_handshake_msg_free(ctx->hs_msg);
 	ctx->hs_msg = NULL;
diff --git a/lib/libssl/tls13_internal.h b/lib/libssl/tls13_internal.h
index 41833f233f3..530ace41afb 100644
--- a/lib/libssl/tls13_internal.h
+++ b/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.37 2020/01/20 13:10:37 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.38 2020/01/21 03:40:05 beck Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -186,6 +186,7 @@ struct tls13_ctx {
 	struct tls13_record_layer *rl;
 	struct tls13_handshake_msg *hs_msg;
 	uint8_t key_update_request;
+	uint8_t alert;
 	int phh_count;
 	time_t phh_last_seen;
 };