Cleaned up alerts as per TLS v1.2 spec (7.2.2)

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@262 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
2016-07-21 19:26:45 +00:00 · 2016-07-21 19:26:45 +00:00 · 287ed7dc14
commit 287ed7dc14
parent 9daa8bcd30
2 changed files with 73 additions and 22 deletions
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, Cameron Rich
+ * Copyright (c) 2007-2016, Cameron Rich
 * 
 * All rights reserved.
 * 
@ -90,6 +90,7 @@ extern "C" {
 #define SSL_ERROR_DEAD                          -2
 #define SSL_CLOSE_NOTIFY                        -3
 #define SSL_ERROR_CONN_LOST                     -256
+#define SSL_ERROR_RECORD_OVERFLOW               -257
 #define SSL_ERROR_SOCK_SETUP_FAILURE            -258
 #define SSL_ERROR_INVALID_HANDSHAKE             -260
 #define SSL_ERROR_INVALID_PROT_MSG              -261
@ -114,9 +115,14 @@ extern "C" {
 #define SSL_ALERT_CLOSE_NOTIFY                  0
 #define SSL_ALERT_UNEXPECTED_MESSAGE            10
 #define SSL_ALERT_BAD_RECORD_MAC                20
+#define SSL_ALERT_RECORD_OVERFLOW               22
 #define SSL_ALERT_HANDSHAKE_FAILURE             40
 #define SSL_ALERT_BAD_CERTIFICATE               42
+#define SSL_ALERT_UNSUPPORTED_CERTIFICATE       43
+#define SSL_ALERT_CERTIFICATE_EXPIRED           45
+#define SSL_ALERT_CERTIFICATE_UNKNOWN           46
 #define SSL_ALERT_ILLEGAL_PARAMETER             47
+#define SSL_ALERT_UNKNOWN_CA                    48
 #define SSL_ALERT_DECODE_ERROR                  50
 #define SSL_ALERT_DECRYPT_ERROR                 51
 #define SSL_ALERT_INVALID_VERSION               70
--- a/ssl/tls1.c
+++ b/ssl/tls1.c
@ -1201,7 +1201,7 @@ int basic_read(SSL *ssl, uint8_t **in_data)
        /* do we violate the spec with the message size?  */
        if (ssl->need_bytes > RT_MAX_PLAIN_LENGTH+RT_EXTRA-BM_RECORD_OFFSET)
        {
-            ret = SSL_ERROR_INVALID_PROT_MSG;              
+            ret = SSL_ERROR_RECORD_OVERFLOW;              
            goto error;
        }

@ -1419,7 +1419,7 @@ int send_alert(SSL *ssl, int error_code)
    int is_warning = 0;
    uint8_t buf[2];

-    /* Don't bother we're already dead */
+    /* Don't bother, we're already dead */
    if (ssl->hs_status == SSL_ERROR_DEAD)
    {
        return SSL_ERROR_CONN_LOST;
@ -1441,38 +1441,59 @@ int send_alert(SSL *ssl, int error_code)
            is_warning = 1;
            break;

-        case SSL_ERROR_INVALID_HANDSHAKE:
-        case SSL_ERROR_INVALID_PROT_MSG:
+        case SSL_ERROR_NO_CIPHER:
            alert_num = SSL_ALERT_HANDSHAKE_FAILURE;
            break;

        case SSL_ERROR_INVALID_HMAC:
-        case SSL_ERROR_FINISHED_INVALID:
            alert_num = SSL_ALERT_BAD_RECORD_MAC;
            break;

+        case SSL_ERROR_FINISHED_INVALID:
+        case SSL_ERROR_INVALID_KEY:
+            alert_num = SSL_ALERT_DECRYPT_ERROR;
+            break;
+
        case SSL_ERROR_INVALID_VERSION:
            alert_num = SSL_ALERT_INVALID_VERSION;
            break;

        case SSL_ERROR_INVALID_SESSION:
-        case SSL_ERROR_NO_CIPHER:
-        case SSL_ERROR_INVALID_KEY:
            alert_num = SSL_ALERT_ILLEGAL_PARAMETER;
            break;

-        case SSL_ERROR_BAD_CERTIFICATE:
-            alert_num = SSL_ALERT_BAD_CERTIFICATE;
-            break;
-
        case SSL_ERROR_NO_CLIENT_RENOG:
            alert_num = SSL_ALERT_NO_RENEGOTIATION;
            break;

+        case SSL_ERROR_RECORD_OVERFLOW:
+            alert_num = SSL_ALERT_RECORD_OVERFLOW;
+            break;
+
+        case SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED):
+        case SSL_X509_ERROR(X509_VFY_ERROR_NOT_YET_VALID):
+            alert_num = SSL_ALERT_CERTIFICATE_EXPIRED;
+            break;
+
+        case SSL_X509_ERROR(X509_VFY_ERROR_NO_TRUSTED_CERT):
+            alert_num = SSL_ALERT_UNKNOWN_CA;
+            break;
+
+        case SSL_X509_ERROR(X509_VFY_ERROR_UNSUPPORTED_DIGEST):
+            alert_num = SSL_ALERT_UNSUPPORTED_CERTIFICATE;
+            break;
+
+        case SSL_ERROR_BAD_CERTIFICATE:
+        case SSL_X509_ERROR(X509_VFY_ERROR_BAD_SIGNATURE):
+            alert_num = SSL_ALERT_BAD_CERTIFICATE;
+            break;
+
+        case SSL_ERROR_INVALID_HANDSHAKE:
+        case SSL_ERROR_INVALID_PROT_MSG:
        default:
-            /* a catch-all for any badly verified certificates */
+            /* a catch-all for anything bad */
            alert_num = (error_code <= SSL_X509_OFFSET) ?  
-                SSL_ALERT_BAD_CERTIFICATE : SSL_ALERT_UNEXPECTED_MESSAGE;
+                SSL_ALERT_CERTIFICATE_UNKNOWN: SSL_ALERT_UNEXPECTED_MESSAGE;
            break;
    }

@ -2018,6 +2039,10 @@ EXP_FUNC void STDCALL ssl_display_error(int error_code)
            printf("connection dead");
            break;

+        case SSL_ERROR_RECORD_OVERFLOW:
+            printf("record overflow");
+            break;
+
        case SSL_ERROR_INVALID_HANDSHAKE:
            printf("invalid handshake");
            break;
@ -2094,14 +2119,6 @@ void DISPLAY_ALERT(SSL *ssl, int alert)
            printf("close notify");
            break;

-        case SSL_ALERT_INVALID_VERSION:
-            printf("invalid version");
-            break;
-
-        case SSL_ALERT_BAD_CERTIFICATE:
-            printf("bad certificate");
-            break;
-
        case SSL_ALERT_UNEXPECTED_MESSAGE:
            printf("unexpected message");
            break;
@ -2110,14 +2127,38 @@ void DISPLAY_ALERT(SSL *ssl, int alert)
            printf("bad record mac");
            break;

+        case SSL_ERROR_RECORD_OVERFLOW:
+            printf("record overlow");
+            break;
+
        case SSL_ALERT_HANDSHAKE_FAILURE:
            printf("handshake failure");
            break;

+        case SSL_ALERT_BAD_CERTIFICATE:
+            printf("bad certificate");
+            break;
+
+        case SSL_ALERT_UNSUPPORTED_CERTIFICATE:
+            printf("unsupported certificate");
+            break;
+
+        case SSL_ALERT_CERTIFICATE_EXPIRED:
+            printf("certificate expired");
+            break;
+
+        case SSL_ALERT_CERTIFICATE_UNKNOWN:
+            printf("certificate unknown");
+            break;
+
        case SSL_ALERT_ILLEGAL_PARAMETER:
            printf("illegal parameter");
            break;

+        case SSL_ALERT_UNKNOWN_CA:
+            printf("unknown ca");
+            break;
+
        case SSL_ALERT_DECODE_ERROR:
            printf("decode error");
            break;
@ -2126,6 +2167,10 @@ void DISPLAY_ALERT(SSL *ssl, int alert)
            printf("decrypt error");
            break;

+        case SSL_ALERT_INVALID_VERSION:
+            printf("invalid version");
+            break;
+
        case SSL_ALERT_NO_RENEGOTIATION:
            printf("no renegotiation");
            break;