Bladeren bron

[tls] Disambiguate most error causes

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 12 jaren geleden
bovenliggende
commit
79300e2ddf
1 gewijzigde bestanden met toevoegingen van 140 en 32 verwijderingen
  1. 140
    32
      src/net/tls.c

+ 140
- 32
src/net/tls.c Bestand weergeven

@@ -49,10 +49,118 @@ FILE_LICENCE ( GPL2_OR_LATER );
49 49
 #include <ipxe/tls.h>
50 50
 
51 51
 /* Disambiguate the various error causes */
52
-#define EACCES_WRONG_NAME \
53
-	__einfo_error ( EINFO_EACCES_WRONG_NAME )
54
-#define EINFO_EACCES_WRONG_NAME \
55
-	__einfo_uniqify ( EINFO_EACCES, 0x02, "Incorrect server name" )
52
+#define EACCES_WRONG_NAME __einfo_error ( EINFO_EACCES_WRONG_NAME )
53
+#define EINFO_EACCES_WRONG_NAME						\
54
+	__einfo_uniqify ( EINFO_EACCES, 0x02,				\
55
+			  "Incorrect server name" )
56
+#define EINVAL_CHANGE_CIPHER __einfo_error ( EINFO_EINVAL_CHANGE_CIPHER )
57
+#define EINFO_EINVAL_CHANGE_CIPHER					\
58
+	__einfo_uniqify ( EINFO_EINVAL, 0x01,				\
59
+			  "Invalid Change Cipher record" )
60
+#define EINVAL_ALERT __einfo_error ( EINFO_EINVAL_ALERT )
61
+#define EINFO_EINVAL_ALERT						\
62
+	__einfo_uniqify ( EINFO_EINVAL, 0x02,				\
63
+			  "Invalid Alert record" )
64
+#define EINVAL_HELLO __einfo_error ( EINFO_EINVAL_HELLO )
65
+#define EINFO_EINVAL_HELLO						\
66
+	__einfo_uniqify ( EINFO_EINVAL, 0x03,				\
67
+			  "Invalid Server Hello record" )
68
+#define EINVAL_CERTIFICATE __einfo_error ( EINFO_EINVAL_CERTIFICATE )
69
+#define EINFO_EINVAL_CERTIFICATE					\
70
+	__einfo_uniqify ( EINFO_EINVAL, 0x04,				\
71
+			  "Invalid Certificate" )
72
+#define EINVAL_CERTIFICATES __einfo_error ( EINFO_EINVAL_CERTIFICATES )
73
+#define EINFO_EINVAL_CERTIFICATES					\
74
+	__einfo_uniqify ( EINFO_EINVAL, 0x05,				\
75
+			  "Invalid Server Certificate record" )
76
+#define EINVAL_HELLO_DONE __einfo_error ( EINFO_EINVAL_HELLO_DONE )
77
+#define EINFO_EINVAL_HELLO_DONE						\
78
+	__einfo_uniqify ( EINFO_EINVAL, 0x06,				\
79
+			  "Invalid Server Hello Done record" )
80
+#define EINVAL_FINISHED __einfo_error ( EINFO_EINVAL_FINISHED )
81
+#define EINFO_EINVAL_FINISHED						\
82
+	__einfo_uniqify ( EINFO_EINVAL, 0x07,				\
83
+			  "Invalid Server Finished record" )
84
+#define EINVAL_HANDSHAKE __einfo_error ( EINFO_EINVAL_HANDSHAKE )
85
+#define EINFO_EINVAL_HANDSHAKE						\
86
+	__einfo_uniqify ( EINFO_EINVAL, 0x08,				\
87
+			  "Invalid Handshake record" )
88
+#define EINVAL_STREAM __einfo_error ( EINFO_EINVAL_STREAM )
89
+#define EINFO_EINVAL_STREAM						\
90
+	__einfo_uniqify ( EINFO_EINVAL, 0x09,				\
91
+			  "Invalid stream-ciphered record" )
92
+#define EINVAL_BLOCK __einfo_error ( EINFO_EINVAL_BLOCK )
93
+#define EINFO_EINVAL_BLOCK						\
94
+	__einfo_uniqify ( EINFO_EINVAL, 0x0a,				\
95
+			  "Invalid block-ciphered record" )
96
+#define EINVAL_PADDING __einfo_error ( EINFO_EINVAL_PADDING )
97
+#define EINFO_EINVAL_PADDING						\
98
+	__einfo_uniqify ( EINFO_EINVAL, 0x0b,				\
99
+			  "Invalid block padding" )
100
+#define EINVAL_RX_STATE __einfo_error ( EINFO_EINVAL_RX_STATE )
101
+#define EINFO_EINVAL_RX_STATE						\
102
+	__einfo_uniqify ( EINFO_EINVAL, 0x0c,				\
103
+			  "Invalid receive state" )
104
+#define EIO_ALERT __einfo_error ( EINFO_EIO_ALERT )
105
+#define EINFO_EIO_ALERT							\
106
+	__einfo_uniqify ( EINFO_EINVAL, 0x01,				\
107
+			  "Unknown alert level" )
108
+#define ENOMEM_CONTEXT __einfo_error ( EINFO_ENOMEM_CONTEXT )
109
+#define EINFO_ENOMEM_CONTEXT						\
110
+	__einfo_uniqify ( EINFO_ENOMEM, 0x01,				\
111
+			  "Not enough space for crypto context" )
112
+#define ENOMEM_CERTIFICATE __einfo_error ( EINFO_ENOMEM_CERTIFICATE )
113
+#define EINFO_ENOMEM_CERTIFICATE					\
114
+	__einfo_uniqify ( EINFO_ENOMEM, 0x02,				\
115
+			  "Not enough space for certificate" )
116
+#define ENOMEM_CHAIN __einfo_error ( EINFO_ENOMEM_CHAIN )
117
+#define EINFO_ENOMEM_CHAIN						\
118
+	__einfo_uniqify ( EINFO_ENOMEM, 0x03,				\
119
+			  "Not enough space for certificate chain" )
120
+#define ENOMEM_TX_PLAINTEXT __einfo_error ( EINFO_ENOMEM_TX_PLAINTEXT )
121
+#define EINFO_ENOMEM_TX_PLAINTEXT					\
122
+	__einfo_uniqify ( EINFO_ENOMEM, 0x04,				\
123
+			  "Not enough space for transmitted plaintext" )
124
+#define ENOMEM_TX_CIPHERTEXT __einfo_error ( EINFO_ENOMEM_TX_CIPHERTEXT )
125
+#define EINFO_ENOMEM_TX_CIPHERTEXT					\
126
+	__einfo_uniqify ( EINFO_ENOMEM, 0x05,				\
127
+			  "Not enough space for transmitted ciphertext" )
128
+#define ENOMEM_RX_PLAINTEXT __einfo_error ( EINFO_ENOMEM_RX_PLAINTEXT )
129
+#define EINFO_ENOMEM_RX_PLAINTEXT					\
130
+	__einfo_uniqify ( EINFO_ENOMEM, 0x06,				\
131
+			  "Not enough space for received plaintext" )
132
+#define ENOMEM_RX_DATA __einfo_error ( EINFO_ENOMEM_RX_DATA )
133
+#define EINFO_ENOMEM_RX_DATA						\
134
+	__einfo_uniqify ( EINFO_ENOMEM, 0x07,				\
135
+			  "Not enough space for received data" )
136
+#define ENOTSUP_CIPHER __einfo_error ( EINFO_ENOTSUP_CIPHER )
137
+#define EINFO_ENOTSUP_CIPHER						\
138
+	__einfo_uniqify ( EINFO_ENOTSUP, 0x01,				\
139
+			  "Unsupported cipher" )
140
+#define ENOTSUP_NULL __einfo_error ( EINFO_ENOTSUP_NULL )
141
+#define EINFO_ENOTSUP_NULL						\
142
+	__einfo_uniqify ( EINFO_ENOTSUP, 0x02,				\
143
+			  "Refusing to use null cipher" )
144
+#define ENOTSUP_SIG_HASH __einfo_error ( EINFO_ENOTSUP_SIG_HASH )
145
+#define EINFO_ENOTSUP_SIG_HASH						\
146
+	__einfo_uniqify ( EINFO_ENOTSUP, 0x03,				\
147
+			  "Unsupported signature and hash algorithm" )
148
+#define ENOTSUP_VERSION __einfo_error ( EINFO_ENOTSUP_VERSION )
149
+#define EINFO_ENOTSUP_VERSION						\
150
+	__einfo_uniqify ( EINFO_ENOTSUP, 0x04,				\
151
+			  "Unsupported protocol version" )
152
+#define EPERM_ALERT __einfo_error ( EINFO_EPERM_ALERT )
153
+#define EINFO_EPERM_ALERT						\
154
+	__einfo_uniqify ( EINFO_EPERM, 0x01,				\
155
+			  "Received fatal alert" )
156
+#define EPERM_VERIFY __einfo_error ( EINFO_EPERM_VERIFY )
157
+#define EINFO_EPERM_VERIFY						\
158
+	__einfo_uniqify ( EINFO_EPERM, 0x02,				\
159
+			  "Handshake verification failed" )
160
+#define EPROTO_VERSION __einfo_error ( EINFO_EPROTO_VERSION )
161
+#define EINFO_EPROTO_VERSION						\
162
+	__einfo_uniqify ( EINFO_EINVAL, 0x01,				\
163
+			  "Illegal protocol version upgrade" )
56 164
 
57 165
 static int tls_send_plaintext ( struct tls_session *tls, unsigned int type,
58 166
 				const void *data, size_t len );
@@ -640,7 +748,7 @@ static int tls_set_cipher ( struct tls_session *tls,
640 748
 	if ( ! dynamic ) {
641 749
 		DBGC ( tls, "TLS %p could not allocate %zd bytes for crypto "
642 750
 		       "context\n", tls, total );
643
-		return -ENOMEM;
751
+		return -ENOMEM_CONTEXT;
644 752
 	}
645 753
 
646 754
 	/* Assign storage */
@@ -674,7 +782,7 @@ static int tls_select_cipher ( struct tls_session *tls,
674 782
 	if ( ! suite ) {
675 783
 		DBGC ( tls, "TLS %p does not support cipher %04x\n",
676 784
 		       tls, ntohs ( cipher_suite ) );
677
-		return -ENOTSUP;
785
+		return -ENOTSUP_CIPHER;
678 786
 	}
679 787
 
680 788
 	/* Set ciphers */
@@ -707,7 +815,7 @@ static int tls_change_cipher ( struct tls_session *tls,
707 815
 	/* Sanity check */
708 816
 	if ( pending->suite == &tls_cipher_suite_null ) {
709 817
 		DBGC ( tls, "TLS %p refusing to use null cipher\n", tls );
710
-		return -ENOTSUP;
818
+		return -ENOTSUP_NULL;
711 819
 	}
712 820
 
713 821
 	tls_clear_cipher ( tls, active );
@@ -957,7 +1065,7 @@ static int tls_send_certificate ( struct tls_session *tls ) {
957 1065
 	 */
958 1066
 	certificate = zalloc ( sizeof ( *certificate ) );
959 1067
 	if ( ! certificate )
960
-		return -ENOMEM;
1068
+		return -ENOMEM_CERTIFICATE;
961 1069
 
962 1070
 	/* Populate record */
963 1071
 	certificate->type_length =
@@ -1059,7 +1167,7 @@ static int tls_send_certificate_verify ( struct tls_session *tls ) {
1059 1167
 			DBGC ( tls, "TLS %p could not identify (%s,%s) "
1060 1168
 			       "signature and hash algorithm\n", tls,
1061 1169
 			       pubkey->name, digest->name );
1062
-			rc = -ENOTSUP;
1170
+			rc = -ENOTSUP_SIG_HASH;
1063 1171
 			goto err_sig_hash;
1064 1172
 		}
1065 1173
 	}
@@ -1179,7 +1287,7 @@ static int tls_new_change_cipher ( struct tls_session *tls,
1179 1287
 	if ( ( len != 1 ) || ( *( ( uint8_t * ) data ) != 1 ) ) {
1180 1288
 		DBGC ( tls, "TLS %p received invalid Change Cipher\n", tls );
1181 1289
 		DBGC_HD ( tls, data, len );
1182
-		return -EINVAL;
1290
+		return -EINVAL_CHANGE_CIPHER;
1183 1291
 	}
1184 1292
 
1185 1293
 	if ( ( rc = tls_change_cipher ( tls, &tls->rx_cipherspec_pending,
@@ -1214,7 +1322,7 @@ static int tls_new_alert ( struct tls_session *tls, const void *data,
1214 1322
 	if ( end != ( data + len ) ) {
1215 1323
 		DBGC ( tls, "TLS %p received overlength Alert\n", tls );
1216 1324
 		DBGC_HD ( tls, data, len );
1217
-		return -EINVAL;
1325
+		return -EINVAL_ALERT;
1218 1326
 	}
1219 1327
 
1220 1328
 	switch ( alert->level ) {
@@ -1225,11 +1333,11 @@ static int tls_new_alert ( struct tls_session *tls, const void *data,
1225 1333
 	case TLS_ALERT_FATAL:
1226 1334
 		DBGC ( tls, "TLS %p received fatal alert %d\n",
1227 1335
 		       tls, alert->description );
1228
-		return -EPERM;
1336
+		return -EPERM_ALERT;
1229 1337
 	default:
1230 1338
 		DBGC ( tls, "TLS %p received unknown alert level %d"
1231 1339
 		       "(alert %d)\n", tls, alert->level, alert->description );
1232
-		return -EIO;
1340
+		return -EIO_ALERT;
1233 1341
 	}
1234 1342
 }
1235 1343
 
@@ -1263,7 +1371,7 @@ static int tls_new_server_hello ( struct tls_session *tls,
1263 1371
 	if ( end > ( data + len ) ) {
1264 1372
 		DBGC ( tls, "TLS %p received underlength Server Hello\n", tls );
1265 1373
 		DBGC_HD ( tls, data, len );
1266
-		return -EINVAL;
1374
+		return -EINVAL_HELLO;
1267 1375
 	}
1268 1376
 
1269 1377
 	/* Check and store protocol version */
@@ -1271,13 +1379,13 @@ static int tls_new_server_hello ( struct tls_session *tls,
1271 1379
 	if ( version < TLS_VERSION_TLS_1_0 ) {
1272 1380
 		DBGC ( tls, "TLS %p does not support protocol version %d.%d\n",
1273 1381
 		       tls, ( version >> 8 ), ( version & 0xff ) );
1274
-		return -ENOTSUP;
1382
+		return -ENOTSUP_VERSION;
1275 1383
 	}
1276 1384
 	if ( version > tls->version ) {
1277 1385
 		DBGC ( tls, "TLS %p server attempted to illegally upgrade to "
1278 1386
 		       "protocol version %d.%d\n",
1279 1387
 		       tls, ( version >> 8 ), ( version & 0xff ) );
1280
-		return -EPROTO;
1388
+		return -EPROTO_VERSION;
1281 1389
 	}
1282 1390
 	tls->version = version;
1283 1391
 	DBGC ( tls, "TLS %p using protocol version %d.%d\n",
@@ -1334,7 +1442,7 @@ static int tls_parse_chain ( struct tls_session *tls,
1334 1442
 	/* Create certificate chain */
1335 1443
 	tls->chain = x509_alloc_chain();
1336 1444
 	if ( ! tls->chain ) {
1337
-		rc = -ENOMEM;
1445
+		rc = -ENOMEM_CHAIN;
1338 1446
 		goto err_alloc_chain;
1339 1447
 	}
1340 1448
 
@@ -1348,7 +1456,7 @@ static int tls_parse_chain ( struct tls_session *tls,
1348 1456
 		if ( next > end ) {
1349 1457
 			DBGC ( tls, "TLS %p overlength certificate:\n", tls );
1350 1458
 			DBGC_HDA ( tls, 0, data, ( end - data ) );
1351
-			rc = -EINVAL;
1459
+			rc = -EINVAL_CERTIFICATE;
1352 1460
 			goto err_overlength;
1353 1461
 		}
1354 1462
 
@@ -1401,7 +1509,7 @@ static int tls_new_certificate ( struct tls_session *tls,
1401 1509
 		DBGC ( tls, "TLS %p received overlength Server Certificate\n",
1402 1510
 		       tls );
1403 1511
 		DBGC_HD ( tls, data, len );
1404
-		return -EINVAL;
1512
+		return -EINVAL_CERTIFICATES;
1405 1513
 	}
1406 1514
 
1407 1515
 	/* Parse certificate chain */
@@ -1456,7 +1564,7 @@ static int tls_new_server_hello_done ( struct tls_session *tls,
1456 1564
 		DBGC ( tls, "TLS %p received overlength Server Hello Done\n",
1457 1565
 		       tls );
1458 1566
 		DBGC_HD ( tls, data, len );
1459
-		return -EINVAL;
1567
+		return -EINVAL_HELLO_DONE;
1460 1568
 	}
1461 1569
 
1462 1570
 	/* Begin certificate validation */
@@ -1492,7 +1600,7 @@ static int tls_new_finished ( struct tls_session *tls,
1492 1600
 	if ( end != ( data + len ) ) {
1493 1601
 		DBGC ( tls, "TLS %p received overlength Finished\n", tls );
1494 1602
 		DBGC_HD ( tls, data, len );
1495
-		return -EINVAL;
1603
+		return -EINVAL_FINISHED;
1496 1604
 	}
1497 1605
 
1498 1606
 	/* Verify data */
@@ -1503,7 +1611,7 @@ static int tls_new_finished ( struct tls_session *tls,
1503 1611
 	if ( memcmp ( verify_data, finished->verify_data,
1504 1612
 		      sizeof ( verify_data ) ) != 0 ) {
1505 1613
 		DBGC ( tls, "TLS %p verification failed\n", tls );
1506
-		return -EPERM;
1614
+		return -EPERM_VERIFY;
1507 1615
 	}
1508 1616
 
1509 1617
 	/* Mark server as finished */
@@ -1543,7 +1651,7 @@ static int tls_new_handshake ( struct tls_session *tls,
1543 1651
 			DBGC ( tls, "TLS %p received overlength Handshake\n",
1544 1652
 			       tls );
1545 1653
 			DBGC_HD ( tls, data, len );
1546
-			return -EINVAL;
1654
+			return -EINVAL_HANDSHAKE;
1547 1655
 		}
1548 1656
 
1549 1657
 		switch ( handshake->type ) {
@@ -1783,7 +1891,7 @@ static int tls_send_plaintext ( struct tls_session *tls, unsigned int type,
1783 1891
 	if ( ! plaintext ) {
1784 1892
 		DBGC ( tls, "TLS %p could not allocate %zd bytes for "
1785 1893
 		       "plaintext\n", tls, plaintext_len );
1786
-		rc = -ENOMEM;
1894
+		rc = -ENOMEM_TX_PLAINTEXT;
1787 1895
 		goto done;
1788 1896
 	}
1789 1897
 
@@ -1796,7 +1904,7 @@ static int tls_send_plaintext ( struct tls_session *tls, unsigned int type,
1796 1904
 	if ( ! ciphertext ) {
1797 1905
 		DBGC ( tls, "TLS %p could not allocate %zd bytes for "
1798 1906
 		       "ciphertext\n", tls, ciphertext_len );
1799
-		rc = -ENOMEM;
1907
+		rc = -ENOMEM_TX_CIPHERTEXT;
1800 1908
 		goto done;
1801 1909
 	}
1802 1910
 
@@ -1857,7 +1965,7 @@ static int tls_split_stream ( struct tls_session *tls,
1857 1965
 	if ( plaintext_len < mac_len ) {
1858 1966
 		DBGC ( tls, "TLS %p received underlength record\n", tls );
1859 1967
 		DBGC_HD ( tls, plaintext, plaintext_len );
1860
-		return -EINVAL;
1968
+		return -EINVAL_STREAM;
1861 1969
 	}
1862 1970
 	content_len = ( plaintext_len - mac_len );
1863 1971
 	content = plaintext;
@@ -1900,7 +2008,7 @@ static int tls_split_block ( struct tls_session *tls,
1900 2008
 	if ( plaintext_len < 1 ) {
1901 2009
 		DBGC ( tls, "TLS %p received underlength record\n", tls );
1902 2010
 		DBGC_HD ( tls, plaintext, plaintext_len );
1903
-		return -EINVAL;
2011
+		return -EINVAL_BLOCK;
1904 2012
 	}
1905 2013
 
1906 2014
 	/* TLSv1.1 and later use an explicit IV */
@@ -1913,7 +2021,7 @@ static int tls_split_block ( struct tls_session *tls,
1913 2021
 	if ( plaintext_len < ( iv_len + mac_len + padding_len + 1 ) ) {
1914 2022
 		DBGC ( tls, "TLS %p received underlength record\n", tls );
1915 2023
 		DBGC_HD ( tls, plaintext, plaintext_len );
1916
-		return -EINVAL;
2024
+		return -EINVAL_BLOCK;
1917 2025
 	}
1918 2026
 	content_len = ( plaintext_len - iv_len - mac_len - padding_len - 1 );
1919 2027
 	iv = plaintext;
@@ -1926,7 +2034,7 @@ static int tls_split_block ( struct tls_session *tls,
1926 2034
 		if ( *( ( uint8_t * ) ( padding + i ) ) != padding_len ) {
1927 2035
 			DBGC ( tls, "TLS %p received bad padding\n", tls );
1928 2036
 			DBGC_HD ( tls, plaintext, plaintext_len );
1929
-			return -EINVAL;
2037
+			return -EINVAL_PADDING;
1930 2038
 		}
1931 2039
 	}
1932 2040
 
@@ -1966,7 +2074,7 @@ static int tls_new_ciphertext ( struct tls_session *tls,
1966 2074
 	if ( ! plaintext ) {
1967 2075
 		DBGC ( tls, "TLS %p could not allocate %zd bytes for "
1968 2076
 		       "decryption buffer\n", tls, record_len );
1969
-		rc = -ENOMEM;
2077
+		rc = -ENOMEM_RX_PLAINTEXT;
1970 2078
 		goto done;
1971 2079
 	}
1972 2080
 
@@ -2094,7 +2202,7 @@ static int tls_newdata_process_header ( struct tls_session *tls ) {
2094 2202
 	if ( ! tls->rx_data ) {
2095 2203
 		DBGC ( tls, "TLS %p could not allocate %zd bytes "
2096 2204
 		       "for receive buffer\n", tls, data_len );
2097
-		return -ENOMEM;
2205
+		return -ENOMEM_RX_DATA;
2098 2206
 	}
2099 2207
 
2100 2208
 	/* Move to data state */
@@ -2162,7 +2270,7 @@ static int tls_cipherstream_deliver ( struct tls_session *tls,
2162 2270
 			break;
2163 2271
 		default:
2164 2272
 			assert ( 0 );
2165
-			rc = -EINVAL;
2273
+			rc = -EINVAL_RX_STATE;
2166 2274
 			goto done;
2167 2275
 		}
2168 2276
 

Laden…
Annuleren
Opslaan