Google Git
Sign in
boringssl/boringssl.git/2e52121acd2befd3ad04953f94fae5e80d84b1a2^!/.
commit
2e52121acd2befd3ad04953f94fae5e80d84b1a2
[log]
author
David Benjamin <davidben@chromium.org>
Wed Jul 16 14:37:51 2014 -0400
committer
Adam Langley <agl@google.com>
Wed Jul 16 18:54:06 2014 +0000
tree
9a5c5a588cfe981787852841381789fcae6386a4
parent
8750fe58f4bd74a3dd1aeba47ace94907d0a7de5 [diff]
Fix magic SSL reason codes.

SSL reason codes corresponding to alerts have special values. Teach
make_errors.go that values above 1000 are reserved (otherwise it will assign
new values in that namespace). Also fix all the existing reason codes which
corresponded to alerts.

Change-Id: Ieabdf8fd59f4802938616934e1d84e659227cf84
Reviewed-on: https://boringssl-review.googlesource.com/1212
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 3ea2c4b..e8398d7 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -1615,6 +1615,9 @@
 
 DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 
+/* make_errors.go reserves error codes above 1000 for manually-assigned
+ * errors. This value must be kept in sync with reservedReasonCode in
+ * make_errors.h */
 #define SSL_AD_REASON_OFFSET		1000 /* offset to get SSL_R_... value from SSL_AD_... */
 
 /* These alert types are for SSLv3 and TLSv1 */
@@ -2360,16 +2363,17 @@
 const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c);
 #endif
 
-/* BEGIN ERROR CODES */
-/* The following lines are auto generated by the script mkerr.pl. Any changes
- * made after this point may be overwritten when the script is next run.
- */
 void ERR_load_SSL_strings(void);
 
 
 #ifdef  __cplusplus
 }
 #endif
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script make_errors.go. Any
+ * changes made after this point may be overwritten when the script is next run.
+ */
 #define SSL_F_SSL_use_PrivateKey_file 100
 #define SSL_F_dtls1_write_app_data_bytes 101
 #define SSL_F_ssl_cipher_process_rulestr 102
@@ -2582,13 +2586,10 @@
 #define SSL_R_READ_TIMEOUT_EXPIRED 129
 #define SSL_R_KRB5_C_GET_CRED 130
 #define SSL_R_NULL_SSL_CTX 131
-#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 132
-#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 133
 #define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 134
 #define SSL_R_SSL3_SESSION_ID_TOO_LONG 135
 #define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 136
 #define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 137
-#define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 138
 #define SSL_R_COOKIE_MISMATCH 139
 #define SSL_R_UNINITIALIZED 140
 #define SSL_R_BAD_CHANGE_CIPHER_SPEC 141
@@ -2597,7 +2598,6 @@
 #define SSL_R_NO_CERTIFICATE_ASSIGNED 144
 #define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 145
 #define SSL_R_PEM_NAME_TOO_SHORT 146
-#define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 147
 #define SSL_R_PROTOCOL_IS_SHUTDOWN 148
 #define SSL_R_UNABLE_TO_FIND_SSL_METHOD 149
 #define SSL_R_WRONG_MESSAGE_TYPE 150
@@ -2619,7 +2619,6 @@
 #define SSL_R_RECORD_TOO_LARGE 166
 #define SSL_R_BIO_NOT_SET 167
 #define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 168
-#define SSL_R_TLSV1_ALERT_DECODE_ERROR 169
 #define SSL_R_UNKNOWN_PKEY_TYPE 170
 #define SSL_R_CIPHER_CODE_WRONG_LENGTH 171
 #define SSL_R_SSL_SESSION_ID_CONFLICT 172
@@ -2643,7 +2642,6 @@
 #define SSL_R_BAD_DH_G_LENGTH 190
 #define SSL_R_BAD_ALERT_RECORD 191
 #define SSL_R_CIPHER_TABLE_SRC_ERROR 192
-#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 193
 #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 194
 #define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE 195
 #define SSL_R_MESSAGE_TOO_LONG 196
@@ -2665,7 +2663,6 @@
 #define SSL_R_PSK_NO_CLIENT_CB 212
 #define SSL_R_PEM_NAME_BAD_PREFIX 213
 #define SSL_R_BAD_CHECKSUM 214
-#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 215
 #define SSL_R_NO_CIPHER_MATCH 216
 #define SSL_R_MISSING_TMP_DH_KEY 217
 #define SSL_R_UNSUPPORTED_STATUS_TYPE 218
@@ -2681,12 +2678,8 @@
 #define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 228
 #define SSL_R_GOST_NOT_SUPPORTED 229
 #define SSL_R_KRB5_C_CC_PRINC 230
-#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 231
-#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 232
-#define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 233
 #define SSL_R_INVALID_PURPOSE 234
 #define SSL_R_KRB5_C_MK_REQ 235
-#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 236
 #define SSL_R_BAD_SRTP_MKI_VALUE 237
 #define SSL_R_EVP_DIGESTSIGNINIT_FAILED 238
 #define SSL_R_DIGEST_CHECK_FAILED 239
@@ -2701,7 +2694,6 @@
 #define SSL_R_EXCESSIVE_MESSAGE_SIZE 248
 #define SSL_R_INVALID_COMPRESSION_ALGORITHM 249
 #define SSL_R_SHORT_READ 250
-#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 251
 #define SSL_R_CA_DN_LENGTH_MISMATCH 252
 #define SSL_R_BAD_ECC_CERT 253
 #define SSL_R_NON_SSLV2_INITIAL_PACKET 254
@@ -2713,18 +2705,14 @@
 #define SSL_R_NO_RENEGOTIATION 260
 #define SSL_R_NO_COMPRESSION_SPECIFIED 261
 #define SSL_R_WRONG_CERTIFICATE_TYPE 262
-#define SSL_R_TLSV1_UNRECOGNIZED_NAME 263
 #define SSL_R_CHANNEL_ID_SIGNATURE_INVALID 264
 #define SSL_R_READ_BIO_NOT_SET 265
 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 266
 #define SSL_R_RENEGOTIATE_EXT_TOO_LONG 267
 #define SSL_R_INVALID_CHALLENGE_LENGTH 268
-#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 269
 #define SSL_R_LIBRARY_HAS_NO_CIPHERS 270
 #define SSL_R_WRONG_CURVE 271
 #define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 272
-#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 273
-#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 274
 #define SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT 275
 #define SSL_R_MISSING_RSA_CERTIFICATE 276
 #define SSL_R_NO_P256_SUPPORT 277
@@ -2768,12 +2756,10 @@
 #define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 316
 #define SSL_R_HTTP_REQUEST 317
 #define SSL_R_KRB5_S_INIT 318
-#define SSL_R_TLSV1_ALERT_USER_CANCELLED 319
 #define SSL_R_RECORD_LENGTH_MISMATCH 320
 #define SSL_R_BAD_LENGTH 321
 #define SSL_R_NO_REQUIRED_DIGEST 322
 #define SSL_R_KRB5 323
-#define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 324
 #define SSL_R_CCS_RECEIVED_EARLY 325
 #define SSL_R_MISSING_ECDSA_SIGNING_CERT 326
 #define SSL_R_D2I_ECDSA_SIG 327
@@ -2785,7 +2771,6 @@
 #define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 333
 #define SSL_R_NO_CERTIFICATE_SET 334
 #define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 335
-#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 336
 #define SSL_R_NO_CERTIFICATES_RETURNED 337
 #define SSL_R_BAD_WRITE_RETRY 338
 #define SSL_R_BAD_SSL_FILETYPE 339
@@ -2795,7 +2780,6 @@
 #define SSL_R_NO_CIPHERS_PASSED 343
 #define SSL_R_NO_VERIFY_CALLBACK 344
 #define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 345
-#define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 346
 #define SSL_R_WRONG_NUMBER_OF_KEY_BITS 347
 #define SSL_R_UNEXPECTED_MESSAGE 348
 #define SSL_R_MISSING_DH_DSA_CERT 349
@@ -2813,22 +2797,17 @@
 #define SSL_R_PSK_IDENTITY_NOT_FOUND 361
 #define SSL_R_UNKNOWN_ALERT_TYPE 362
 #define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER 363
-#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 364
 #define SSL_R_BAD_AUTHENTICATION_TYPE 365
 #define SSL_R_DECRYPTION_FAILED 366
 #define SSL_R_WRONG_SSL_VERSION 367
 #define SSL_R_NO_CERTIFICATE_RETURNED 368
-#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 369
 #define SSL_R_CA_DN_TOO_LONG 370
 #define SSL_R_GOT_A_FIN_BEFORE_A_CCS 371
 #define SSL_R_COMPRESSION_LIBRARY_ERROR 372
-#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 373
 #define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 374
 #define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 375
 #define SSL_R_BAD_ECPOINT 376
 #define SSL_R_BAD_HANDSHAKE_LENGTH 377
-#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 378
-#define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 379
 #define SSL_R_KRB5_S_RD_REQ 380
 #define SSL_R_PEER_ERROR_NO_CERTIFICATE 381
 #define SSL_R_PRE_MAC_LENGTH_TOO_LONG 382
@@ -2849,7 +2828,6 @@
 #define SSL_R_EXTRA_DATA_IN_MESSAGE 397
 #define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 398
 #define SSL_R_CONNECTION_ID_IS_DIFFERENT 399
-#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 400
 #define SSL_R_MISSING_VERIFY_MESSAGE 402
 #define SSL_R_BAD_DSA_SIGNATURE 403
 #define SSL_R_UNKNOWN_SSL_VERSION 404
@@ -2862,12 +2840,10 @@
 #define SSL_R_RECORD_TOO_SMALL 411
 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 412
 #define SSL_R_UNSUPPORTED_SSL_VERSION 413
-#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 414
 #define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 415
 #define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 416
 #define SSL_R_BAD_DATA 417
 #define SSL_R_KRB5_S_TKT_NYV 418
-#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 419
 #define SSL_R_BAD_PROTOCOL_VERSION_NUMBER 420
 #define SSL_R_BAD_MESSAGE_TYPE 421
 #define SSL_R_MISSING_ECDH_CERT 422
@@ -2888,5 +2864,33 @@
 #define SSL_R_CLIENTHELLO_PARSE_FAILED 437
 #define SSL_R_CONNECTION_REJECTED 438
 #define SSL_R_DECODE_ERROR 439
+#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
+#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
+#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
+#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022
+#define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030
+#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040
+#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041
+#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
+#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043
+#define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 1044
+#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045
+#define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046
+#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047
+#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048
+#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049
+#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
+#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
+#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
+#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070
+#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
+#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
+#define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
+#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
+#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
+#define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111
+#define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112
+#define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113
+#define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114
 
 #endif

diff --git a/ssl/CMakeLists.txt b/ssl/CMakeLists.txt
index 3e613b4..bbbc1aa 100644
--- a/ssl/CMakeLists.txt
+++ b/ssl/CMakeLists.txt

@@ -44,3 +44,11 @@
 
 	$<TARGET_OBJECTS:pqueue>
 )
+
+add_executable(
+	ssl_test
+
+	ssl_test.c
+)
+
+target_link_libraries(ssl_test crypto)

diff --git a/ssl/ssl_error.c b/ssl/ssl_error.c
index 51754d0..0097d60 100644
--- a/ssl/ssl_error.c
+++ b/ssl/ssl_error.c

@@ -117,7 +117,6 @@
   {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_client_hello, 0), "ssl3_get_client_hello"},
   {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_client_key_exchange, 0), "ssl3_get_client_key_exchange"},
   {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_finished, 0), "ssl3_get_finished"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_server_key_exchange, 0), "ssl3_get_server_key_exchange"},
   {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_message, 0), "ssl3_get_message"},
   {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_new_session_ticket, 0), "ssl3_get_new_session_ticket"},
   {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_next_proto, 0), "ssl3_get_next_proto"},
@@ -125,6 +124,7 @@
   {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_server_certificate, 0), "ssl3_get_server_certificate"},
   {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_server_done, 0), "ssl3_get_server_done"},
   {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_server_hello, 0), "ssl3_get_server_hello"},
+  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_server_key_exchange, 0), "ssl3_get_server_key_exchange"},
   {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_handshake_mac, 0), "ssl3_handshake_mac"},
   {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_read_bytes, 0), "ssl3_read_bytes"},
   {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_read_n, 0), "ssl3_read_n"},

diff --git a/ssl/ssl_test.c b/ssl/ssl_test.c
new file mode 100644
index 0000000..4652e85
--- /dev/null
+++ b/ssl/ssl_test.c

@@ -0,0 +1,30 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdio.h>
+
+#include "openssl/ssl.h"
+
+int main() {
+  /* Some error codes are special, but the make_errors.go script doesn't know
+   * this. This test will catch the case where something regenerates the error
+   * codes with the script but doesn't fix up the special ones. */
+  if (SSL_R_TLSV1_ALERT_NO_RENEGOTIATION != 100 + SSL_AD_REASON_OFFSET) {
+    fprintf(stderr, "SSL alert errors don't match up.\n");
+    return 1;
+  }
+
+  printf("PASS\n");
+  return 0;
+}

diff --git a/util/all_tests.sh b/util/all_tests.sh
index 5bfad27..def97ff 100644
--- a/util/all_tests.sh
+++ b/util/all_tests.sh

@@ -37,6 +37,7 @@
 ./crypto/x509v3/tab_test
 ./crypto/x509v3/v3name_test
 ./crypto/bytestring/bytestring_test
+./ssl/ssl_test
 "
 
 IFS=$'\n'

diff --git a/util/make_errors.go b/util/make_errors.go
index 20b3e2d..f770e3d 100644
--- a/util/make_errors.go
+++ b/util/make_errors.go

@@ -28,6 +28,11 @@
 	"unicode"
 )
 
+// ssl.h reserves values 1000 and above for error codes corresponding to
+// alerts. If automatically assigned reason codes exceed this value, this script
+// will error. This must be kept in sync with SSL_AD_REASON_OFFSET in ssl.h.
+const reservedReasonCode = 1000
+
 var resetFlag *bool = flag.Bool("reset", false, "If true, ignore current assignments and reassign from scratch")
 
 func makeErrors(reset bool) error {
@@ -59,7 +64,14 @@
 	if reset {
 		err = nil
 		functions = make(map[string]int)
-		reasons = make(map[string]int)
+		// Retain any reason codes above reservedReasonCode.
+		newReasons := make(map[string]int)
+		for key, value := range reasons {
+			if value >= reservedReasonCode {
+				newReasons[key] = value
+			}
+		}
+		reasons = newReasons
 	}
 
 	if err != nil {
@@ -87,8 +99,8 @@
 		}
 	}
 
-	assignNewValues(functions)
-	assignNewValues(reasons)
+	assignNewValues(functions, -1)
+	assignNewValues(reasons, reservedReasonCode)
 
 	headerFile, err = os.Open(headerPath)
 	if err != nil {
@@ -294,10 +306,13 @@
 	}
 }
 
-func assignNewValues(assignments map[string]int) {
+func assignNewValues(assignments map[string]int, reserved int) {
 	max := 99
 
 	for _, value := range assignments {
+		if reserved >= 0 && value >= reserved {
+			continue
+		}
 		if value > max {
 			max = value
 		}
@@ -307,6 +322,11 @@
 
 	for key, value := range assignments {
 		if value == -1 {
+			if reserved >= 0 && max >= reserved {
+				// If this happens, try passing
+				// -reset. Otherwise bump up reservedReasonCode.
+				panic("Automatically-assigned values exceeded limit!")
+			}
 			assignments[key] = max
 			max++
 		}