diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2009-11-18 14:24:00 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2009-11-18 14:24:00 +0000 |
commit | b14713c231be252894ce6f0573ee2eff0694fc07 (patch) | |
tree | 1d36111df88afe997c011fc85a756dbec9aa293b /ssl | |
parent | 637e0ba4202ff1fb361932af6c7b2c8e622eebf4 (diff) |
Include a more meaningful error message when rejecting legacy renegotiation
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/ssl.h | 3 | ||||
-rw-r--r-- | ssl/ssl_err.c | 3 | ||||
-rw-r--r-- | ssl/t1_lib.c | 4 |
3 files changed, 10 insertions, 0 deletions
@@ -1806,7 +1806,9 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 #define SSL_F_SSL_NEW 186 #define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 287 +#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 290 #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 289 +#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 291 #define SSL_F_SSL_PEEK 270 #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 275 #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 276 @@ -2078,6 +2080,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253 #define SSL_R_UNKNOWN_SSL_VERSION 254 #define SSL_R_UNKNOWN_STATE 255 +#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 323 #define SSL_R_UNSUPPORTED_CIPHER 256 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257 #define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 315 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index ee00cd792e..fdce772fa8 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -221,7 +221,9 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, {ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"}, {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"}, +{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"}, {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"}, +{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"}, {ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"}, {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"}, {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"}, @@ -496,6 +498,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"}, {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"}, {ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"}, +{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"}, {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"}, {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"}, {ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE),"unsupported elliptic curve"}, diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 261e2eb811..fa7ad031f5 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -359,6 +359,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { /* We should always see one extension: the renegotiate extension */ + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ return 0; } @@ -592,6 +593,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); return 0; } @@ -617,6 +619,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in { /* We should always see one extension: the renegotiate extension */ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); return 0; } return 1; @@ -687,6 +690,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); return 0; } |