Add missing alert errors and error strings
authortb <tb@openbsd.org>
Wed, 9 Oct 2024 08:00:29 +0000 (08:00 +0000)
committertb <tb@openbsd.org>
Wed, 9 Oct 2024 08:00:29 +0000 (08:00 +0000)
For every TLS alert there needs a corresponding error with error code
having an offset of SSL_AD_REASON_OFFSET (aka 1000), otherwise the error
stack fails to set the reason correctly.

ok beck

lib/libssl/ssl.h
lib/libssl/ssl_err.c

index 789a52b..41d34d9 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.242 2024/08/31 10:51:48 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.243 2024/10/09 08:00:29 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2239,7 +2239,10 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH             303
 #define SSL_R_SSL_SESSION_ID_IS_DIFFERENT               231
 #define SSL_R_SSL_SESSION_ID_TOO_LONG                   408
+#define SSL_R_TLSV13_ALERT_MISSING_EXTENSION            1109
+#define SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED                 1116
 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED                         1049
+#define SSL_R_TLSV1_ALERT_NO_APPLICATION_PROTOCOL       1120
 #define SSL_R_TLSV1_ALERT_DECODE_ERROR                  1050
 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED             1021
 #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR                         1051
@@ -2251,6 +2254,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION              1070
 #define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW               1022
 #define SSL_R_TLSV1_ALERT_UNKNOWN_CA                    1048
+#define SSL_R_TLSV1_ALERT_UNKNOWN_PSK_IDENTITY          1115
 #define SSL_R_TLSV1_ALERT_USER_CANCELLED                1090
 #define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE          1114
 #define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE     1113
index e0fb1a2..eac2d9e 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_err.c,v 1.52 2024/09/09 07:40:03 tb Exp $ */
+/* $OpenBSD: ssl_err.c,v 1.53 2024/10/09 08:00:29 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -392,6 +392,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
        {ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH), "ssl session id has bad length"},
        {ERR_REASON(SSL_R_SSL_SESSION_ID_IS_DIFFERENT), "ssl session id is different"},
        {ERR_REASON(SSL_R_SSL_SESSION_ID_TOO_LONG), "ssl session id is too long"},
+       {ERR_REASON(SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED), "tlsv13 alert certificate required"},
+       {ERR_REASON(SSL_R_TLSV13_ALERT_MISSING_EXTENSION), "tlsv13 alert missing extension"},
        {ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED), "tlsv1 alert access denied"},
        {ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR), "tlsv1 alert decode error"},
        {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED), "tlsv1 alert decryption failed"},
@@ -400,10 +402,12 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
        {ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK), "tlsv1 alert inappropriate fallback"},
        {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY), "tlsv1 alert insufficient security"},
        {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR), "tlsv1 alert internal error"},
+       {ERR_REASON(SSL_R_TLSV1_ALERT_NO_APPLICATION_PROTOCOL), "tlsv1 alert no application protocol"},
        {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION), "tlsv1 alert no renegotiation"},
        {ERR_REASON(SSL_R_TLSV1_ALERT_PROTOCOL_VERSION), "tlsv1 alert protocol version"},
        {ERR_REASON(SSL_R_TLSV1_ALERT_RECORD_OVERFLOW), "tlsv1 alert record overflow"},
        {ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_CA), "tlsv1 alert unknown ca"},
+       {ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_PSK_IDENTITY), "tlsv1 alert unknown psk_identity"},
        {ERR_REASON(SSL_R_TLSV1_ALERT_USER_CANCELLED), "tlsv1 alert user cancelled"},
        {ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE), "tlsv1 bad certificate hash value"},
        {ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE), "tlsv1 bad certificate status response"},