From: Matt Caswell <matt@openssl.org>
Date: Thu, 20 Apr 2017 09:58:27 +0000 (+0100)
Subject: Add better error logging if SCTP AUTH chunks are not enabled
X-Git-Tag: OpenSSL_1_1_1-pre1~1701
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=dcf88c5b79cbd433ee37276cdf63cdb5d49673cd;p=openssl

Add better error logging if SCTP AUTH chunks are not enabled

In order to use SCTP over DTLS we need ACTP AUTH chunks to be enabled in
the kernel.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3286)
---

diff --git a/crypto/bio/bio_err.c b/crypto/bio/bio_err.c
index c49a934095..9442d80e61 100644
--- a/crypto/bio/bio_err.c
+++ b/crypto/bio/bio_err.c
@@ -36,6 +36,7 @@ static ERR_STRING_DATA BIO_str_functs[] = {
     {ERR_FUNC(BIO_F_BIO_LOOKUP_EX), "BIO_lookup_ex"},
     {ERR_FUNC(BIO_F_BIO_MAKE_PAIR), "bio_make_pair"},
     {ERR_FUNC(BIO_F_BIO_NEW), "BIO_new"},
+    {ERR_FUNC(BIO_F_BIO_NEW_DGRAM_SCTP), "BIO_new_dgram_sctp"},
     {ERR_FUNC(BIO_F_BIO_NEW_FILE), "BIO_new_file"},
     {ERR_FUNC(BIO_F_BIO_NEW_MEM_BUF), "BIO_new_mem_buf"},
     {ERR_FUNC(BIO_F_BIO_NREAD), "BIO_nread"},
diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c
index d43e8dc471..d3a7b03fba 100644
--- a/crypto/bio/bss_dgram.c
+++ b/crypto/bio/bss_dgram.c
@@ -842,6 +842,8 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
                    sizeof(struct sctp_authchunk));
     if (ret < 0) {
         BIO_vfree(bio);
+        BIOerr(BIO_F_BIO_NEW_DGRAM_SCTP, ERR_R_SYS_LIB);
+        ERR_add_error_data(1, "Ensure SCTP AUTH chunks are enabled in kernel");
         return (NULL);
     }
     auth.sauth_chunk = OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE;
@@ -850,13 +852,16 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
                    sizeof(struct sctp_authchunk));
     if (ret < 0) {
         BIO_vfree(bio);
+        BIOerr(BIO_F_BIO_NEW_DGRAM_SCTP, ERR_R_SYS_LIB);
+        ERR_add_error_data(1, "Ensure SCTP AUTH chunks are enabled in kernel");
         return (NULL);
     }
 
     /*
      * Test if activation was successful. When using accept(), SCTP-AUTH has
      * to be activated for the listening socket already, otherwise the
-     * connected socket won't use it.
+     * connected socket won't use it. Similarly with connect(): the socket
+     * prior to connection must be activated for SCTP-AUTH
      */
     sockopt_len = (socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t));
     authchunks = OPENSSL_zalloc(sockopt_len);
@@ -883,8 +888,14 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 
     OPENSSL_free(authchunks);
 
-    OPENSSL_assert(auth_data);
-    OPENSSL_assert(auth_forward);
+    if (!auth_data || !auth_forward) {
+        BIO_vfree(bio);
+        BIOerr(BIO_F_BIO_NEW_DGRAM_SCTP, ERR_R_SYS_LIB);
+        ERR_add_error_data(1,
+                           "Ensure SCTP AUTH chunks are enabled on the "
+                           "underlying socket");
+        return NULL;
+    }
 
 #  ifdef SCTP_AUTHENTICATION_EVENT
 #   ifdef SCTP_EVENT
diff --git a/include/openssl/bio.h b/include/openssl/bio.h
index 225642bed0..dea28c1cc1 100644
--- a/include/openssl/bio.h
+++ b/include/openssl/bio.h
@@ -811,6 +811,7 @@ int ERR_load_BIO_strings(void);
 # define BIO_F_BIO_LOOKUP_EX                              143
 # define BIO_F_BIO_MAKE_PAIR                              121
 # define BIO_F_BIO_NEW                                    108
+# define BIO_F_BIO_NEW_DGRAM_SCTP                         145
 # define BIO_F_BIO_NEW_FILE                               109
 # define BIO_F_BIO_NEW_MEM_BUF                            126
 # define BIO_F_BIO_NREAD                                  123