From 287ed7dc140ca07c6445a96a1f7dd8be674f122b Mon Sep 17 00:00:00 2001 From: cameronrich Date: Thu, 21 Jul 2016 19:26:45 +0000 Subject: [PATCH] Cleaned up alerts as per TLS v1.2 spec (7.2.2) git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@262 9a5d90b5-6617-0410-8a86-bb477d3ed2e3 --- ssl/ssl.h | 8 ++++- ssl/tls1.c | 87 +++++++++++++++++++++++++++++++++++++++++------------- 2 files changed, 73 insertions(+), 22 deletions(-) diff --git a/ssl/ssl.h b/ssl/ssl.h index 198efc6..1b9de92 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, Cameron Rich + * Copyright (c) 2007-2016, Cameron Rich * * All rights reserved. * @@ -90,6 +90,7 @@ extern "C" { #define SSL_ERROR_DEAD -2 #define SSL_CLOSE_NOTIFY -3 #define SSL_ERROR_CONN_LOST -256 +#define SSL_ERROR_RECORD_OVERFLOW -257 #define SSL_ERROR_SOCK_SETUP_FAILURE -258 #define SSL_ERROR_INVALID_HANDSHAKE -260 #define SSL_ERROR_INVALID_PROT_MSG -261 @@ -114,9 +115,14 @@ extern "C" { #define SSL_ALERT_CLOSE_NOTIFY 0 #define SSL_ALERT_UNEXPECTED_MESSAGE 10 #define SSL_ALERT_BAD_RECORD_MAC 20 +#define SSL_ALERT_RECORD_OVERFLOW 22 #define SSL_ALERT_HANDSHAKE_FAILURE 40 #define SSL_ALERT_BAD_CERTIFICATE 42 +#define SSL_ALERT_UNSUPPORTED_CERTIFICATE 43 +#define SSL_ALERT_CERTIFICATE_EXPIRED 45 +#define SSL_ALERT_CERTIFICATE_UNKNOWN 46 #define SSL_ALERT_ILLEGAL_PARAMETER 47 +#define SSL_ALERT_UNKNOWN_CA 48 #define SSL_ALERT_DECODE_ERROR 50 #define SSL_ALERT_DECRYPT_ERROR 51 #define SSL_ALERT_INVALID_VERSION 70 diff --git a/ssl/tls1.c b/ssl/tls1.c index f73433b..456aebf 100755 --- a/ssl/tls1.c +++ b/ssl/tls1.c @@ -1201,7 +1201,7 @@ int basic_read(SSL *ssl, uint8_t **in_data) /* do we violate the spec with the message size? */ if (ssl->need_bytes > RT_MAX_PLAIN_LENGTH+RT_EXTRA-BM_RECORD_OFFSET) { - ret = SSL_ERROR_INVALID_PROT_MSG; + ret = SSL_ERROR_RECORD_OVERFLOW; goto error; } @@ -1419,7 +1419,7 @@ int send_alert(SSL *ssl, int error_code) int is_warning = 0; uint8_t buf[2]; - /* Don't bother we're already dead */ + /* Don't bother, we're already dead */ if (ssl->hs_status == SSL_ERROR_DEAD) { return SSL_ERROR_CONN_LOST; @@ -1441,38 +1441,59 @@ int send_alert(SSL *ssl, int error_code) is_warning = 1; break; - case SSL_ERROR_INVALID_HANDSHAKE: - case SSL_ERROR_INVALID_PROT_MSG: + case SSL_ERROR_NO_CIPHER: alert_num = SSL_ALERT_HANDSHAKE_FAILURE; break; case SSL_ERROR_INVALID_HMAC: - case SSL_ERROR_FINISHED_INVALID: alert_num = SSL_ALERT_BAD_RECORD_MAC; break; + case SSL_ERROR_FINISHED_INVALID: + case SSL_ERROR_INVALID_KEY: + alert_num = SSL_ALERT_DECRYPT_ERROR; + break; + case SSL_ERROR_INVALID_VERSION: alert_num = SSL_ALERT_INVALID_VERSION; break; case SSL_ERROR_INVALID_SESSION: - case SSL_ERROR_NO_CIPHER: - case SSL_ERROR_INVALID_KEY: alert_num = SSL_ALERT_ILLEGAL_PARAMETER; break; - case SSL_ERROR_BAD_CERTIFICATE: - alert_num = SSL_ALERT_BAD_CERTIFICATE; - break; - case SSL_ERROR_NO_CLIENT_RENOG: alert_num = SSL_ALERT_NO_RENEGOTIATION; break; + case SSL_ERROR_RECORD_OVERFLOW: + alert_num = SSL_ALERT_RECORD_OVERFLOW; + break; + + case SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED): + case SSL_X509_ERROR(X509_VFY_ERROR_NOT_YET_VALID): + alert_num = SSL_ALERT_CERTIFICATE_EXPIRED; + break; + + case SSL_X509_ERROR(X509_VFY_ERROR_NO_TRUSTED_CERT): + alert_num = SSL_ALERT_UNKNOWN_CA; + break; + + case SSL_X509_ERROR(X509_VFY_ERROR_UNSUPPORTED_DIGEST): + alert_num = SSL_ALERT_UNSUPPORTED_CERTIFICATE; + break; + + case SSL_ERROR_BAD_CERTIFICATE: + case SSL_X509_ERROR(X509_VFY_ERROR_BAD_SIGNATURE): + alert_num = SSL_ALERT_BAD_CERTIFICATE; + break; + + case SSL_ERROR_INVALID_HANDSHAKE: + case SSL_ERROR_INVALID_PROT_MSG: default: - /* a catch-all for any badly verified certificates */ + /* a catch-all for anything bad */ alert_num = (error_code <= SSL_X509_OFFSET) ? - SSL_ALERT_BAD_CERTIFICATE : SSL_ALERT_UNEXPECTED_MESSAGE; + SSL_ALERT_CERTIFICATE_UNKNOWN: SSL_ALERT_UNEXPECTED_MESSAGE; break; } @@ -2018,6 +2039,10 @@ EXP_FUNC void STDCALL ssl_display_error(int error_code) printf("connection dead"); break; + case SSL_ERROR_RECORD_OVERFLOW: + printf("record overflow"); + break; + case SSL_ERROR_INVALID_HANDSHAKE: printf("invalid handshake"); break; @@ -2094,14 +2119,6 @@ void DISPLAY_ALERT(SSL *ssl, int alert) printf("close notify"); break; - case SSL_ALERT_INVALID_VERSION: - printf("invalid version"); - break; - - case SSL_ALERT_BAD_CERTIFICATE: - printf("bad certificate"); - break; - case SSL_ALERT_UNEXPECTED_MESSAGE: printf("unexpected message"); break; @@ -2110,14 +2127,38 @@ void DISPLAY_ALERT(SSL *ssl, int alert) printf("bad record mac"); break; + case SSL_ERROR_RECORD_OVERFLOW: + printf("record overlow"); + break; + case SSL_ALERT_HANDSHAKE_FAILURE: printf("handshake failure"); break; + case SSL_ALERT_BAD_CERTIFICATE: + printf("bad certificate"); + break; + + case SSL_ALERT_UNSUPPORTED_CERTIFICATE: + printf("unsupported certificate"); + break; + + case SSL_ALERT_CERTIFICATE_EXPIRED: + printf("certificate expired"); + break; + + case SSL_ALERT_CERTIFICATE_UNKNOWN: + printf("certificate unknown"); + break; + case SSL_ALERT_ILLEGAL_PARAMETER: printf("illegal parameter"); break; + case SSL_ALERT_UNKNOWN_CA: + printf("unknown ca"); + break; + case SSL_ALERT_DECODE_ERROR: printf("decode error"); break; @@ -2126,6 +2167,10 @@ void DISPLAY_ALERT(SSL *ssl, int alert) printf("decrypt error"); break; + case SSL_ALERT_INVALID_VERSION: + printf("invalid version"); + break; + case SSL_ALERT_NO_RENEGOTIATION: printf("no renegotiation"); break;