From dd5f624f32395e64e29dc537bdf208058544b226 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 28 Jun 2021 21:58:56 +0100 Subject: [PATCH] Fix TLS alert codes Signed-off-by: Dave Rodgman --- ChangeLog.d/fix_tls_alert_codes.txt | 6 ++++++ library/ssl_cli.c | 2 +- library/ssl_tls.c | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 ChangeLog.d/fix_tls_alert_codes.txt diff --git a/ChangeLog.d/fix_tls_alert_codes.txt b/ChangeLog.d/fix_tls_alert_codes.txt new file mode 100644 index 0000000000..abe3a5e6df --- /dev/null +++ b/ChangeLog.d/fix_tls_alert_codes.txt @@ -0,0 +1,6 @@ +Bugfix + * Fix the alert raised when a client requests an invalid + * fragment length, as per RFC6066 section 4. We now alert with + * MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER. Similarly, raise + * MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR for an invalid finished + * message, as per RFC5247 section 7.2.2. diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 01e3f111e8..6710f133e8 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1525,7 +1525,7 @@ static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a4cf44c788..976a87c514 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3610,7 +3610,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR ); return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); }