Include a more meaningful error message when rejecting legacy renegotiation

author: Dr. Stephen Henson <steve@openssl.org> 2009-11-18 14:24:00 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2009-11-18 14:24:00 +0000
commit: b14713c231be252894ce6f0573ee2eff0694fc07 (patch)
tree: 1d36111df88afe997c011fc85a756dbec9aa293b /ssl
parent: 637e0ba4202ff1fb361932af6c7b2c8e622eebf4 (diff)
3 files changed, 10 insertions, 0 deletions
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 5ef8f34304..d7d91c8f91 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1806,7 +1806,9 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_LOAD_CLIENT_CA_FILE			 185
 #define SSL_F_SSL_NEW					 186
 #define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT	 287
+#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT		 290
 #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT	 289
+#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT		 291
 #define SSL_F_SSL_PEEK					 270
 #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT		 275
 #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT		 276
@@ -2078,6 +2080,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE			 253
 #define SSL_R_UNKNOWN_SSL_VERSION			 254
 #define SSL_R_UNKNOWN_STATE				 255
+#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED	 323
 #define SSL_R_UNSUPPORTED_CIPHER			 256
 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM		 257
 #define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE		 315
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index ee00cd792e..fdce772fa8 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -221,7 +221,9 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE),	"SSL_load_client_CA_file"},
 {ERR_FUNC(SSL_F_SSL_NEW),	"SSL_new"},
 {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT),	"SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT),	"SSL_PARSE_CLIENTHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT),	"SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT),	"SSL_PARSE_SERVERHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_SSL_PEEK),	"SSL_peek"},
 {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT),	"SSL_PREPARE_CLIENTHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT),	"SSL_PREPARE_SERVERHELLO_TLSEXT"},
@@ -496,6 +498,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
 {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION)   ,"unknown ssl version"},
 {ERR_REASON(SSL_R_UNKNOWN_STATE)         ,"unknown state"},
+{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
 {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
 {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
 {ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE),"unsupported elliptic curve"},
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 261e2eb811..fa7ad031f5 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -359,6 +359,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 			&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
 			{
 			/* We should always see one extension: the renegotiate extension */
+	 		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
 			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
 			return 0;
 			}
@@ -592,6 +593,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
 		{
 		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+	 	SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
 		return 0;
 		}
 
@@ -617,6 +619,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 			{
 			/* We should always see one extension: the renegotiate extension */
 			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+			SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
 			return 0;
 			}
 		return 1;
@@ -687,6 +690,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
 		{
 		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
 		return 0;
 		}
author	Dr. Stephen Henson <steve@openssl.org>	2009-11-18 14:24:00 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2009-11-18 14:24:00 +0000
commit	b14713c231be252894ce6f0573ee2eff0694fc07 (patch)
tree	1d36111df88afe997c011fc85a756dbec9aa293b /ssl
parent	637e0ba4202ff1fb361932af6c7b2c8e622eebf4 (diff)