From 9c83d7109b1bc23a577588a4a59bd6ddbe44db56 Mon Sep 17 00:00:00 2001 From: jsing Date: Sat, 27 Jan 2024 14:23:51 +0000 Subject: [PATCH] Add message callbacks for alerts in the TLSv1.3 stack. This will make it easier to regress test shutdown behaviour in the TLSv1.3 stack. Additionally, `openssl -msg` now shows alerts for TLSv1.3 connections. ok tb@ --- lib/libssl/tls13_internal.h | 11 +++++---- lib/libssl/tls13_lib.c | 42 ++++++++++++++++++++++++++++++--- lib/libssl/tls13_record_layer.c | 6 ++--- 3 files changed, 49 insertions(+), 10 deletions(-) diff --git a/lib/libssl/tls13_internal.h b/lib/libssl/tls13_internal.h index f4b17bdf253..68e695e53a1 100644 --- a/lib/libssl/tls13_internal.h +++ b/lib/libssl/tls13_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_internal.h,v 1.101 2022/07/24 14:28:16 jsing Exp $ */ +/* $OpenBSD: tls13_internal.h,v 1.102 2024/01/27 14:23:51 jsing Exp $ */ /* * Copyright (c) 2018 Bob Beck * Copyright (c) 2018 Theo Buehler @@ -87,7 +87,8 @@ __BEGIN_HIDDEN_DECLS #define TLS13_INFO_ACCEPT_EXIT SSL_CB_ACCEPT_EXIT #define TLS13_INFO_CONNECT_EXIT SSL_CB_CONNECT_EXIT -typedef void (*tls13_alert_cb)(uint8_t _alert_desc, void *_cb_arg); +typedef void (*tls13_alert_cb)(uint8_t _alert_level, uint8_t _alert_desc, + void *_cb_arg); typedef ssize_t (*tls13_phh_recv_cb)(void *_cb_arg); typedef void (*tls13_phh_sent_cb)(void *_cb_arg); typedef void (*tls13_handshake_message_cb)(void *_cb_arg); @@ -291,6 +292,8 @@ struct tls13_ctx { int phh_count; time_t phh_last_seen; + tls13_alert_cb alert_sent_cb; + tls13_alert_cb alert_recv_cb; tls13_handshake_message_cb handshake_message_sent_cb; tls13_handshake_message_cb handshake_message_recv_cb; tls13_info_cb info_cb; @@ -309,8 +312,8 @@ void tls13_ctx_free(struct tls13_ctx *ctx); const EVP_AEAD *tls13_cipher_aead(const SSL_CIPHER *cipher); const EVP_MD *tls13_cipher_hash(const SSL_CIPHER *cipher); -void tls13_alert_received_cb(uint8_t alert_desc, void *arg); -void tls13_alert_sent_cb(uint8_t alert_desc, void *arg); +void tls13_alert_received_cb(uint8_t alert_level, uint8_t alert_desc, void *arg); +void tls13_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg); ssize_t tls13_phh_received_cb(void *cb_arg); void tls13_phh_done_cb(void *cb_arg); diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c index 05f125adc87..331a3ad1a78 100644 --- a/lib/libssl/tls13_lib.c +++ b/lib/libssl/tls13_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.76 2022/11/26 16:08:56 tb Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.77 2024/01/27 14:23:51 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * Copyright (c) 2019 Bob Beck @@ -110,11 +110,42 @@ tls13_cipher_hash(const SSL_CIPHER *cipher) return NULL; } +static void +tls13_legacy_alert_cb(int sent, uint8_t alert_level, uint8_t alert_desc, + void *arg) +{ + uint8_t alert[] = {alert_level, alert_desc}; + struct tls13_ctx *ctx = arg; + SSL *s = ctx->ssl; + CBS cbs; + + if (s->msg_callback == NULL) + return; + + CBS_init(&cbs, alert, sizeof(alert)); + ssl_msg_callback_cbs(s, sent, SSL3_RT_ALERT, &cbs); +} + +static void +tls13_legacy_alert_recv_cb(uint8_t alert_level, uint8_t alert_desc, void *arg) +{ + tls13_legacy_alert_cb(0, alert_level, alert_desc, arg); +} + +static void +tls13_legacy_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg) +{ + tls13_legacy_alert_cb(1, alert_level, alert_desc, arg); +} + void -tls13_alert_received_cb(uint8_t alert_desc, void *arg) +tls13_alert_received_cb(uint8_t alert_level, uint8_t alert_desc, void *arg) { struct tls13_ctx *ctx = arg; + if (ctx->alert_recv_cb != NULL) + ctx->alert_recv_cb(alert_level, alert_desc, arg); + if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { ctx->close_notify_recv = 1; ctx->ssl->shutdown |= SSL_RECEIVED_SHUTDOWN; @@ -140,10 +171,13 @@ tls13_alert_received_cb(uint8_t alert_desc, void *arg) } void -tls13_alert_sent_cb(uint8_t alert_desc, void *arg) +tls13_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg) { struct tls13_ctx *ctx = arg; + if (ctx->alert_sent_cb != NULL) + ctx->alert_sent_cb(alert_level, alert_desc, arg); + if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { ctx->close_notify_sent = 1; return; @@ -514,6 +548,8 @@ tls13_ctx_new(int mode, SSL *ssl) if ((ctx->rl = tls13_record_layer_new(&tls13_rl_callbacks, ctx)) == NULL) goto err; + ctx->alert_sent_cb = tls13_legacy_alert_sent_cb; + ctx->alert_recv_cb = tls13_legacy_alert_recv_cb; ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb; ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb; ctx->info_cb = tls13_legacy_info_cb; diff --git a/lib/libssl/tls13_record_layer.c b/lib/libssl/tls13_record_layer.c index 4ae4e298ebc..5432744cd73 100644 --- a/lib/libssl/tls13_record_layer.c +++ b/lib/libssl/tls13_record_layer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_record_layer.c,v 1.72 2022/11/11 17:15:27 jsing Exp $ */ +/* $OpenBSD: tls13_record_layer.c,v 1.73 2024/01/27 14:23:51 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -327,7 +327,7 @@ tls13_record_layer_process_alert(struct tls13_record_layer *rl) return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); } - rl->cb.alert_recv(alert_desc, rl->cb_arg); + rl->cb.alert_recv(alert_level, alert_desc, rl->cb_arg); return ret; } @@ -361,7 +361,7 @@ tls13_record_layer_send_alert(struct tls13_record_layer *rl) ret = TLS13_IO_ALERT; } - rl->cb.alert_sent(rl->alert_desc, rl->cb_arg); + rl->cb.alert_sent(rl->alert_level, rl->alert_desc, rl->cb_arg); return ret; } -- 2.20.1