Address review feedback
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
diff --git a/ChangeLog.d/fix_fragment_len_return.txt b/ChangeLog.d/fix_fragment_len_return.txt
new file mode 100644
index 0000000..bfbf93c
--- /dev/null
+++ b/ChangeLog.d/fix_fragment_len_return.txt
@@ -0,0 +1,5 @@
+Bugfix
+ * Fix the error returned when a client requests an invalid
+ * fragment length, as per RFC6066 section 4. We now return
+ * MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER, and raise the corresponding
+ * alert.
diff --git a/ChangeLog.d/update_ssl_error_codes.txt b/ChangeLog.d/update_ssl_error_codes.txt
new file mode 100644
index 0000000..0630b54
--- /dev/null
+++ b/ChangeLog.d/update_ssl_error_codes.txt
@@ -0,0 +1,3 @@
+Changes
+ * Various changes to which alert and/or error code may be returned
+ * during the TLS handshake.
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 558755d..fc791d6 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1389,8 +1389,8 @@
mbedtls_ssl_send_alert_message(
ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
- return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
}
else
@@ -1403,8 +1403,8 @@
mbedtls_ssl_send_alert_message(
ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
- return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
@@ -1453,7 +1453,7 @@
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension unexpected" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
}
@@ -1508,7 +1508,7 @@
mbedtls_ssl_send_alert_message(
ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
}
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 2c801ef..75beb6e 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -201,8 +201,8 @@
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
- return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
}
else
@@ -212,8 +212,8 @@
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 97f9c1b..1cfda4a 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1898,7 +1898,7 @@
mbedtls_ssl_send_alert_message( ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
- return( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}
/* In theory, the CRT can be up to 2**24 Bytes, but we don't support
* anything beyond 2**16 ~ 64K. */
@@ -1907,8 +1907,8 @@
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
mbedtls_ssl_send_alert_message( ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
- return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT );
+ return( MBEDTLS_ERR_SSL_BAD_CERTIFICATE );
}
/* Read length of the next CRT in the chain. */
@@ -1943,8 +1943,8 @@
MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
mbedtls_ssl_send_alert_message( ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
- return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
+ return( MBEDTLS_ERR_SSL_BAD_CERTIFICATE );
}
/* Now we can safely free the original chain. */
@@ -2929,8 +2929,8 @@
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
- return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+ MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
+ return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
#if defined(MBEDTLS_SSL_RENEGOTIATION)
