arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-06-17 22:23:10 +03:00
Code Activity

Cleaned up alerts as per TLS v1.2 spec (7.2.2)

Browse Source 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@262 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
This commit is contained in:
cameronrich
2016-07-21 19:26:45 +00:00
committed by Yasuki Ikeuchi
parent 01a0531bc3
commit abda243710
2 changed files with 73 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ssl/ssl.h
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2007, Cameron Rich
* Copyright (c) 2007-2016, Cameron Rich
*
* All rights reserved.
*
@ -91,6 +91,7 @@ extern "C" {
#define SSL_ERROR_DEAD -2
#define SSL_CLOSE_NOTIFY -3
#define SSL_ERROR_CONN_LOST -256
#define SSL_ERROR_RECORD_OVERFLOW -257
#define SSL_ERROR_SOCK_SETUP_FAILURE -258
#define SSL_ERROR_INVALID_HANDSHAKE -260
#define SSL_ERROR_INVALID_PROT_MSG -261
@ -115,9 +116,14 @@ extern "C" {
#define SSL_ALERT_CLOSE_NOTIFY 0
#define SSL_ALERT_UNEXPECTED_MESSAGE 10
#define SSL_ALERT_BAD_RECORD_MAC 20
#define SSL_ALERT_RECORD_OVERFLOW 22
#define SSL_ALERT_HANDSHAKE_FAILURE 40
#define SSL_ALERT_BAD_CERTIFICATE 42
#define SSL_ALERT_UNSUPPORTED_CERTIFICATE 43
#define SSL_ALERT_CERTIFICATE_EXPIRED 45
#define SSL_ALERT_CERTIFICATE_UNKNOWN 46
#define SSL_ALERT_ILLEGAL_PARAMETER 47
#define SSL_ALERT_UNKNOWN_CA 48
#define SSL_ALERT_DECODE_ERROR 50
#define SSL_ALERT_DECRYPT_ERROR 51
#define SSL_ALERT_INVALID_VERSION 70

88
ssl/tls1.c
View File

@ -1243,8 +1243,7 @@ int basic_read(SSL *ssl, uint8_t **in_data)
/* do we violate the spec with the message size? */
if (ssl->need_bytes > RT_MAX_PLAIN_LENGTH+RT_EXTRA-BM_RECORD_OFFSET)
{
printf("ssl->need_bytes=%d violates spec\r\n", ssl->need_bytes, RT_MAX_PLAIN_LENGTH+RT_EXTRA-BM_RECORD_OFFSET);
ret = SSL_ERROR_INVALID_PROT_MSG;
ret = SSL_ERROR_RECORD_OVERFLOW;
goto error;
}
@ -1496,7 +1495,7 @@ int send_alert(SSL *ssl, int error_code)
int is_warning = 0;
uint8_t buf[2];
/* Don't bother we're already dead */
/* Don't bother, we're already dead */
if (ssl->hs_status == SSL_ERROR_DEAD)
{
return SSL_ERROR_CONN_LOST;
@ -1518,38 +1517,59 @@ int send_alert(SSL *ssl, int error_code)
is_warning = 1;
break;
case SSL_ERROR_INVALID_HANDSHAKE:
case SSL_ERROR_INVALID_PROT_MSG:
case SSL_ERROR_NO_CIPHER:
alert_num = SSL_ALERT_HANDSHAKE_FAILURE;
break;
case SSL_ERROR_INVALID_HMAC:
case SSL_ERROR_FINISHED_INVALID:
alert_num = SSL_ALERT_BAD_RECORD_MAC;
break;
case SSL_ERROR_FINISHED_INVALID:
case SSL_ERROR_INVALID_KEY:
alert_num = SSL_ALERT_DECRYPT_ERROR;
break;
case SSL_ERROR_INVALID_VERSION:
alert_num = SSL_ALERT_INVALID_VERSION;
break;
case SSL_ERROR_INVALID_SESSION:
case SSL_ERROR_NO_CIPHER:
case SSL_ERROR_INVALID_KEY:
alert_num = SSL_ALERT_ILLEGAL_PARAMETER;
break;
case SSL_ERROR_BAD_CERTIFICATE:
alert_num = SSL_ALERT_BAD_CERTIFICATE;
break;
case SSL_ERROR_NO_CLIENT_RENOG:
alert_num = SSL_ALERT_NO_RENEGOTIATION;
break;
case SSL_ERROR_RECORD_OVERFLOW:
alert_num = SSL_ALERT_RECORD_OVERFLOW;
break;
case SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED):
case SSL_X509_ERROR(X509_VFY_ERROR_NOT_YET_VALID):
alert_num = SSL_ALERT_CERTIFICATE_EXPIRED;
break;
case SSL_X509_ERROR(X509_VFY_ERROR_NO_TRUSTED_CERT):
alert_num = SSL_ALERT_UNKNOWN_CA;
break;
case SSL_X509_ERROR(X509_VFY_ERROR_UNSUPPORTED_DIGEST):
alert_num = SSL_ALERT_UNSUPPORTED_CERTIFICATE;
break;
case SSL_ERROR_BAD_CERTIFICATE:
case SSL_X509_ERROR(X509_VFY_ERROR_BAD_SIGNATURE):
alert_num = SSL_ALERT_BAD_CERTIFICATE;
break;
case SSL_ERROR_INVALID_HANDSHAKE:
case SSL_ERROR_INVALID_PROT_MSG:
default:
/* a catch-all for any badly verified certificates */
/* a catch-all for anything bad */
alert_num = (error_code <= SSL_X509_OFFSET) ?
SSL_ALERT_BAD_CERTIFICATE : SSL_ALERT_UNEXPECTED_MESSAGE;
SSL_ALERT_CERTIFICATE_UNKNOWN: SSL_ALERT_UNEXPECTED_MESSAGE;
break;
}
@ -2125,6 +2145,10 @@ EXP_FUNC void STDCALL ssl_display_error(int error_code)
printf("connection dead");
break;
case SSL_ERROR_RECORD_OVERFLOW:
printf("record overflow");
break;
case SSL_ERROR_INVALID_HANDSHAKE:
printf("invalid handshake");
break;
@ -2201,14 +2225,6 @@ void DISPLAY_ALERT(SSL *ssl, int alert)
printf("close notify");
break;
case SSL_ALERT_INVALID_VERSION:
printf("invalid version");
break;
case SSL_ALERT_BAD_CERTIFICATE:
printf("bad certificate");
break;
case SSL_ALERT_UNEXPECTED_MESSAGE:
printf("unexpected message");
break;
@ -2217,14 +2233,38 @@ void DISPLAY_ALERT(SSL *ssl, int alert)
printf("bad record mac");
break;
case SSL_ERROR_RECORD_OVERFLOW:
printf("record overlow");
break;
case SSL_ALERT_HANDSHAKE_FAILURE:
printf("handshake failure");
break;
case SSL_ALERT_BAD_CERTIFICATE:
printf("bad certificate");
break;
case SSL_ALERT_UNSUPPORTED_CERTIFICATE:
printf("unsupported certificate");
break;
case SSL_ALERT_CERTIFICATE_EXPIRED:
printf("certificate expired");
break;
case SSL_ALERT_CERTIFICATE_UNKNOWN:
printf("certificate unknown");
break;
case SSL_ALERT_ILLEGAL_PARAMETER:
printf("illegal parameter");
break;
case SSL_ALERT_UNKNOWN_CA:
printf("unknown ca");
break;
case SSL_ALERT_DECODE_ERROR:
printf("decode error");
break;
@ -2233,6 +2273,10 @@ void DISPLAY_ALERT(SSL *ssl, int alert)
printf("decrypt error");
break;
case SSL_ALERT_INVALID_VERSION:
printf("invalid version");
break;
case SSL_ALERT_NO_RENEGOTIATION:
printf("no renegotiation");
break;