Address review feedback
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
This commit is contained in:
parent
e8dbd53966
commit
43fcb8d7c1
5 changed files with 25 additions and 17 deletions
5
ChangeLog.d/fix_fragment_len_return.txt
Normal file
5
ChangeLog.d/fix_fragment_len_return.txt
Normal file
|
@ -0,0 +1,5 @@
|
|||
Bugfix
|
||||
* Fix the error returned when a client requests an invalid
|
||||
* fragment length, as per RFC6066 section 4. We now return
|
||||
* MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER, and raise the corresponding
|
||||
* alert.
|
3
ChangeLog.d/update_ssl_error_codes.txt
Normal file
3
ChangeLog.d/update_ssl_error_codes.txt
Normal file
|
@ -0,0 +1,3 @@
|
|||
Changes
|
||||
* Various changes to which alert and/or error code may be returned
|
||||
* during the TLS handshake.
|
|
@ -1389,8 +1389,8 @@ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
|
|||
mbedtls_ssl_send_alert_message(
|
||||
ssl,
|
||||
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
|
||||
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
||||
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||
}
|
||||
}
|
||||
else
|
||||
|
@ -1403,8 +1403,8 @@ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
|
|||
mbedtls_ssl_send_alert_message(
|
||||
ssl,
|
||||
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
|
||||
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
||||
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||
}
|
||||
|
||||
ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
|
||||
|
@ -1453,7 +1453,7 @@ static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
|
|||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension unexpected" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
|
||||
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
|
||||
}
|
||||
|
||||
|
@ -1508,7 +1508,7 @@ static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
|||
mbedtls_ssl_send_alert_message(
|
||||
ssl,
|
||||
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
|
||||
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
|
||||
}
|
||||
|
||||
|
|
|
@ -201,8 +201,8 @@ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
|
|||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
|
||||
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
||||
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||
}
|
||||
}
|
||||
else
|
||||
|
@ -212,8 +212,8 @@ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
|
|||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
||||
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
|
||||
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
||||
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||
}
|
||||
|
||||
ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
|
||||
|
|
|
@ -1898,7 +1898,7 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
|
|||
mbedtls_ssl_send_alert_message( ssl,
|
||||
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
||||
return( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
||||
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
|
||||
}
|
||||
/* In theory, the CRT can be up to 2**24 Bytes, but we don't support
|
||||
* anything beyond 2**16 ~ 64K. */
|
||||
|
@ -1907,8 +1907,8 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
|
|||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl,
|
||||
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
||||
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT );
|
||||
return( MBEDTLS_ERR_SSL_BAD_CERTIFICATE );
|
||||
}
|
||||
|
||||
/* Read length of the next CRT in the chain. */
|
||||
|
@ -1943,8 +1943,8 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
|
|||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl,
|
||||
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
|
||||
MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
|
||||
return( MBEDTLS_ERR_SSL_BAD_CERTIFICATE );
|
||||
}
|
||||
|
||||
/* Now we can safely free the original chain. */
|
||||
|
@ -2929,8 +2929,8 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
|
|||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
|
||||
MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
|
||||
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||
|
|
Loading…
Reference in a new issue