arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-06-17 22:23:10 +03:00
Code Activity

Cleaned up alerts as per TLS v1.2 spec (7.2.2)

Browse Source 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@262 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
This commit is contained in:
cameronrich
2016-07-21 19:26:45 +00:00
committed by Yasuki Ikeuchi
parent 01a0531bc3
commit abda243710
2 changed files with 73 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ssl/ssl.h
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007, Cameron Rich * Copyright (c) 2007-2016, Cameron Rich
* *
* All rights reserved. * All rights reserved.
* *
@ -91,6 +91,7 @@ extern "C" {
#define SSL_ERROR_DEAD -2 #define SSL_ERROR_DEAD -2
#define SSL_CLOSE_NOTIFY -3 #define SSL_CLOSE_NOTIFY -3
#define SSL_ERROR_CONN_LOST -256 #define SSL_ERROR_CONN_LOST -256
#define SSL_ERROR_RECORD_OVERFLOW -257
#define SSL_ERROR_SOCK_SETUP_FAILURE -258 #define SSL_ERROR_SOCK_SETUP_FAILURE -258
#define SSL_ERROR_INVALID_HANDSHAKE -260 #define SSL_ERROR_INVALID_HANDSHAKE -260
#define SSL_ERROR_INVALID_PROT_MSG -261 #define SSL_ERROR_INVALID_PROT_MSG -261
@ -115,9 +116,14 @@ extern "C" {
#define SSL_ALERT_CLOSE_NOTIFY 0 #define SSL_ALERT_CLOSE_NOTIFY 0
#define SSL_ALERT_UNEXPECTED_MESSAGE 10 #define SSL_ALERT_UNEXPECTED_MESSAGE 10
#define SSL_ALERT_BAD_RECORD_MAC 20 #define SSL_ALERT_BAD_RECORD_MAC 20
#define SSL_ALERT_RECORD_OVERFLOW 22
#define SSL_ALERT_HANDSHAKE_FAILURE 40 #define SSL_ALERT_HANDSHAKE_FAILURE 40
#define SSL_ALERT_BAD_CERTIFICATE 42 #define SSL_ALERT_BAD_CERTIFICATE 42
#define SSL_ALERT_UNSUPPORTED_CERTIFICATE 43
#define SSL_ALERT_CERTIFICATE_EXPIRED 45
#define SSL_ALERT_CERTIFICATE_UNKNOWN 46
#define SSL_ALERT_ILLEGAL_PARAMETER 47 #define SSL_ALERT_ILLEGAL_PARAMETER 47
#define SSL_ALERT_UNKNOWN_CA 48
#define SSL_ALERT_DECODE_ERROR 50 #define SSL_ALERT_DECODE_ERROR 50
#define SSL_ALERT_DECRYPT_ERROR 51 #define SSL_ALERT_DECRYPT_ERROR 51
#define SSL_ALERT_INVALID_VERSION 70 #define SSL_ALERT_INVALID_VERSION 70

88
ssl/tls1.c
View File

@ -1243,8 +1243,7 @@ int basic_read(SSL *ssl, uint8_t **in_data)
/* do we violate the spec with the message size? */ /* do we violate the spec with the message size? */
if (ssl->need_bytes > RT_MAX_PLAIN_LENGTH+RT_EXTRA-BM_RECORD_OFFSET) if (ssl->need_bytes > RT_MAX_PLAIN_LENGTH+RT_EXTRA-BM_RECORD_OFFSET)
{ {
printf("ssl->need_bytes=%d violates spec\r\n", ssl->need_bytes, RT_MAX_PLAIN_LENGTH+RT_EXTRA-BM_RECORD_OFFSET); ret = SSL_ERROR_RECORD_OVERFLOW;
ret = SSL_ERROR_INVALID_PROT_MSG;
goto error; goto error;
} }
@ -1496,7 +1495,7 @@ int send_alert(SSL *ssl, int error_code)
int is_warning = 0; int is_warning = 0;
uint8_t buf[2]; uint8_t buf[2];
/* Don't bother we're already dead */ /* Don't bother, we're already dead */
if (ssl->hs_status == SSL_ERROR_DEAD) if (ssl->hs_status == SSL_ERROR_DEAD)
{ {
return SSL_ERROR_CONN_LOST; return SSL_ERROR_CONN_LOST;
@ -1518,38 +1517,59 @@ int send_alert(SSL *ssl, int error_code)
is_warning = 1; is_warning = 1;
break; break;
case SSL_ERROR_INVALID_HANDSHAKE: case SSL_ERROR_NO_CIPHER:
case SSL_ERROR_INVALID_PROT_MSG:
alert_num = SSL_ALERT_HANDSHAKE_FAILURE; alert_num = SSL_ALERT_HANDSHAKE_FAILURE;
break; break;
case SSL_ERROR_INVALID_HMAC: case SSL_ERROR_INVALID_HMAC:
case SSL_ERROR_FINISHED_INVALID:
alert_num = SSL_ALERT_BAD_RECORD_MAC; alert_num = SSL_ALERT_BAD_RECORD_MAC;
break; break;
case SSL_ERROR_FINISHED_INVALID:
case SSL_ERROR_INVALID_KEY:
alert_num = SSL_ALERT_DECRYPT_ERROR;
break;
case SSL_ERROR_INVALID_VERSION: case SSL_ERROR_INVALID_VERSION:
alert_num = SSL_ALERT_INVALID_VERSION; alert_num = SSL_ALERT_INVALID_VERSION;
break; break;
case SSL_ERROR_INVALID_SESSION: case SSL_ERROR_INVALID_SESSION:
case SSL_ERROR_NO_CIPHER:
case SSL_ERROR_INVALID_KEY:
alert_num = SSL_ALERT_ILLEGAL_PARAMETER; alert_num = SSL_ALERT_ILLEGAL_PARAMETER;
break; break;
case SSL_ERROR_BAD_CERTIFICATE:
alert_num = SSL_ALERT_BAD_CERTIFICATE;
break;
case SSL_ERROR_NO_CLIENT_RENOG: case SSL_ERROR_NO_CLIENT_RENOG:
alert_num = SSL_ALERT_NO_RENEGOTIATION; alert_num = SSL_ALERT_NO_RENEGOTIATION;
break; break;
case SSL_ERROR_RECORD_OVERFLOW:
alert_num = SSL_ALERT_RECORD_OVERFLOW;
break;
case SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED):
case SSL_X509_ERROR(X509_VFY_ERROR_NOT_YET_VALID):
alert_num = SSL_ALERT_CERTIFICATE_EXPIRED;
break;
case SSL_X509_ERROR(X509_VFY_ERROR_NO_TRUSTED_CERT):
alert_num = SSL_ALERT_UNKNOWN_CA;
break;
case SSL_X509_ERROR(X509_VFY_ERROR_UNSUPPORTED_DIGEST):
alert_num = SSL_ALERT_UNSUPPORTED_CERTIFICATE;
break;
case SSL_ERROR_BAD_CERTIFICATE:
case SSL_X509_ERROR(X509_VFY_ERROR_BAD_SIGNATURE):
alert_num = SSL_ALERT_BAD_CERTIFICATE;
break;
case SSL_ERROR_INVALID_HANDSHAKE:
case SSL_ERROR_INVALID_PROT_MSG:
default: default:
/* a catch-all for any badly verified certificates */ /* a catch-all for anything bad */
alert_num = (error_code <= SSL_X509_OFFSET) ? alert_num = (error_code <= SSL_X509_OFFSET) ?
SSL_ALERT_BAD_CERTIFICATE : SSL_ALERT_UNEXPECTED_MESSAGE; SSL_ALERT_CERTIFICATE_UNKNOWN: SSL_ALERT_UNEXPECTED_MESSAGE;
break; break;
} }
@ -2125,6 +2145,10 @@ EXP_FUNC void STDCALL ssl_display_error(int error_code)
printf("connection dead"); printf("connection dead");
break; break;
case SSL_ERROR_RECORD_OVERFLOW:
printf("record overflow");
break;
case SSL_ERROR_INVALID_HANDSHAKE: case SSL_ERROR_INVALID_HANDSHAKE:
printf("invalid handshake"); printf("invalid handshake");
break; break;
@ -2201,14 +2225,6 @@ void DISPLAY_ALERT(SSL *ssl, int alert)
printf("close notify"); printf("close notify");
break; break;
case SSL_ALERT_INVALID_VERSION:
printf("invalid version");
break;
case SSL_ALERT_BAD_CERTIFICATE:
printf("bad certificate");
break;
case SSL_ALERT_UNEXPECTED_MESSAGE: case SSL_ALERT_UNEXPECTED_MESSAGE:
printf("unexpected message"); printf("unexpected message");
break; break;
@ -2217,14 +2233,38 @@ void DISPLAY_ALERT(SSL *ssl, int alert)
printf("bad record mac"); printf("bad record mac");
break; break;
case SSL_ERROR_RECORD_OVERFLOW:
printf("record overlow");
break;
case SSL_ALERT_HANDSHAKE_FAILURE: case SSL_ALERT_HANDSHAKE_FAILURE:
printf("handshake failure"); printf("handshake failure");
break; break;
case SSL_ALERT_BAD_CERTIFICATE:
printf("bad certificate");
break;
case SSL_ALERT_UNSUPPORTED_CERTIFICATE:
printf("unsupported certificate");
break;
case SSL_ALERT_CERTIFICATE_EXPIRED:
printf("certificate expired");
break;
case SSL_ALERT_CERTIFICATE_UNKNOWN:
printf("certificate unknown");
break;
case SSL_ALERT_ILLEGAL_PARAMETER: case SSL_ALERT_ILLEGAL_PARAMETER:
printf("illegal parameter"); printf("illegal parameter");
break; break;
case SSL_ALERT_UNKNOWN_CA:
printf("unknown ca");
break;
case SSL_ALERT_DECODE_ERROR: case SSL_ALERT_DECODE_ERROR:
printf("decode error"); printf("decode error");
break; break;
@ -2233,6 +2273,10 @@ void DISPLAY_ALERT(SSL *ssl, int alert)
printf("decrypt error"); printf("decrypt error");
break; break;
case SSL_ALERT_INVALID_VERSION:
printf("invalid version");
break;
case SSL_ALERT_NO_RENEGOTIATION: case SSL_ALERT_NO_RENEGOTIATION:
printf("no renegotiation"); printf("no renegotiation");
break; break;