Add message callbacks for alerts in the TLSv1.3 stack.

This will make it easier to regress test shutdown behaviour in the TLSv1.3
stack. Additionally, `openssl -msg` now shows alerts for TLSv1.3
connections.

ok tb@

diff --git a/lib/libssl/tls13_internal.h b/lib/libssl/tls13_internal.h
index f4b17bd..68e695e 100644 (file)
--- a/lib/libssl/tls13_internal.h
+++ b/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.101 2022/07/24 14:28:16 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.102 2024/01/27 14:23:51 jsing Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -87,7 +87,8 @@ __BEGIN_HIDDEN_DECLS
 #define TLS13_INFO_ACCEPT_EXIT                         SSL_CB_ACCEPT_EXIT
 #define TLS13_INFO_CONNECT_EXIT                                SSL_CB_CONNECT_EXIT
 
-typedef void (*tls13_alert_cb)(uint8_t _alert_desc, void *_cb_arg);
+typedef void (*tls13_alert_cb)(uint8_t _alert_level, uint8_t _alert_desc,
+    void *_cb_arg);
 typedef ssize_t (*tls13_phh_recv_cb)(void *_cb_arg);
 typedef void (*tls13_phh_sent_cb)(void *_cb_arg);
 typedef void (*tls13_handshake_message_cb)(void *_cb_arg);
@@ -291,6 +292,8 @@ struct tls13_ctx {
        int phh_count;
        time_t phh_last_seen;
 
+       tls13_alert_cb alert_sent_cb;
+       tls13_alert_cb alert_recv_cb;
        tls13_handshake_message_cb handshake_message_sent_cb;
        tls13_handshake_message_cb handshake_message_recv_cb;
        tls13_info_cb info_cb;
@@ -309,8 +312,8 @@ void tls13_ctx_free(struct tls13_ctx *ctx);
 const EVP_AEAD *tls13_cipher_aead(const SSL_CIPHER *cipher);
 const EVP_MD *tls13_cipher_hash(const SSL_CIPHER *cipher);
 
-void tls13_alert_received_cb(uint8_t alert_desc, void *arg);
-void tls13_alert_sent_cb(uint8_t alert_desc, void *arg);
+void tls13_alert_received_cb(uint8_t alert_level, uint8_t alert_desc, void *arg);
+void tls13_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg);
 ssize_t tls13_phh_received_cb(void *cb_arg);
 void tls13_phh_done_cb(void *cb_arg);
 

diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c
index 05f125a..331a3ad 100644 (file)
--- a/lib/libssl/tls13_lib.c
+++ b/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: tls13_lib.c,v 1.76 2022/11/26 16:08:56 tb Exp $ */
+/*     $OpenBSD: tls13_lib.c,v 1.77 2024/01/27 14:23:51 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -110,11 +110,42 @@ tls13_cipher_hash(const SSL_CIPHER *cipher)
        return NULL;
 }
 
+static void
+tls13_legacy_alert_cb(int sent, uint8_t alert_level, uint8_t alert_desc,
+    void *arg)
+{
+       uint8_t alert[] = {alert_level, alert_desc};
+       struct tls13_ctx *ctx = arg;
+       SSL *s = ctx->ssl;
+       CBS cbs;
+
+       if (s->msg_callback == NULL)
+               return;
+
+       CBS_init(&cbs, alert, sizeof(alert));
+       ssl_msg_callback_cbs(s, sent, SSL3_RT_ALERT, &cbs);
+}
+
+static void
+tls13_legacy_alert_recv_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
+{
+       tls13_legacy_alert_cb(0, alert_level, alert_desc, arg);
+}
+
+static void
+tls13_legacy_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
+{
+       tls13_legacy_alert_cb(1, alert_level, alert_desc, arg);
+}
+
 void
-tls13_alert_received_cb(uint8_t alert_desc, void *arg)
+tls13_alert_received_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
 {
        struct tls13_ctx *ctx = arg;
 
+       if (ctx->alert_recv_cb != NULL)
+               ctx->alert_recv_cb(alert_level, alert_desc, arg);
+
        if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
                ctx->close_notify_recv = 1;
                ctx->ssl->shutdown |= SSL_RECEIVED_SHUTDOWN;
@@ -140,10 +171,13 @@ tls13_alert_received_cb(uint8_t alert_desc, void *arg)
 }
 
 void
-tls13_alert_sent_cb(uint8_t alert_desc, void *arg)
+tls13_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
 {
        struct tls13_ctx *ctx = arg;
 
+       if (ctx->alert_sent_cb != NULL)
+               ctx->alert_sent_cb(alert_level, alert_desc, arg);
+
        if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
                ctx->close_notify_sent = 1;
                return;
@@ -514,6 +548,8 @@ tls13_ctx_new(int mode, SSL *ssl)
        if ((ctx->rl = tls13_record_layer_new(&tls13_rl_callbacks, ctx)) == NULL)
                goto err;
 
+       ctx->alert_sent_cb = tls13_legacy_alert_sent_cb;
+       ctx->alert_recv_cb = tls13_legacy_alert_recv_cb;
        ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
        ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
        ctx->info_cb = tls13_legacy_info_cb;

diff --git a/lib/libssl/tls13_record_layer.c b/lib/libssl/tls13_record_layer.c
index 4ae4e29..5432744 100644 (file)
--- a/lib/libssl/tls13_record_layer.c
+++ b/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.72 2022/11/11 17:15:27 jsing Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.73 2024/01/27 14:23:51 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -327,7 +327,7 @@ tls13_record_layer_process_alert(struct tls13_record_layer *rl)
                return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
        }
 
-       rl->cb.alert_recv(alert_desc, rl->cb_arg);
+       rl->cb.alert_recv(alert_level, alert_desc, rl->cb_arg);
 
        return ret;
 }
@@ -361,7 +361,7 @@ tls13_record_layer_send_alert(struct tls13_record_layer *rl)
                ret = TLS13_IO_ALERT;
        }
 
-       rl->cb.alert_sent(rl->alert_desc, rl->cb_arg);
+       rl->cb.alert_sent(rl->alert_level, rl->alert_desc, rl->cb_arg);
 
        return ret;
 }