From 10e10602612bac4d805e6497455fca7f17e6e879 Mon Sep 17 00:00:00 2001
From: Adam Langley <agl@google.com>
Date: Tue, 25 Jul 2017 13:33:21 -0700
Subject: [PATCH] Send correct fatal alert the renegotation extension fails to
 match.

https://tools.ietf.org/html/rfc5746#section-3.4 says that
handshake_failure is the correct alert to send, but we were sending
illegal_parameter.

Change-Id: Ife951c5951f6f8e4c31a3f2f57307bfed1c24561
Reviewed-on: https://boringssl-review.googlesource.com/18408
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
---
 ssl/t1_lib.cc             | 2 +-
 ssl/test/runner/runner.go | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index 19f256dc..283f22c3 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -802,7 +802,7 @@ static int ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
 #endif
   if (!ok) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
-    *out_alert = SSL_AD_ILLEGAL_PARAMETER;
+    *out_alert = SSL_AD_HANDSHAKE_FAILURE;
     return 0;
   }
   ssl->s3->send_connection_binding = 1;
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index c5f99715..a3d9139a 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -7047,6 +7047,7 @@ func addRenegotiationTests() {
 		flags:         []string{"-renegotiate-freely"},
 		shouldFail:    true,
 		expectedError: ":RENEGOTIATION_MISMATCH:",
+		expectedLocalError: "handshake failure",
 	})
 	testCases = append(testCases, testCase{
 		name:        "Renegotiate-Client-BadExt",
@@ -7060,6 +7061,7 @@ func addRenegotiationTests() {
 		flags:         []string{"-renegotiate-freely"},
 		shouldFail:    true,
 		expectedError: ":RENEGOTIATION_MISMATCH:",
+		expectedLocalError: "handshake failure",
 	})
 	testCases = append(testCases, testCase{
 		name:        "Renegotiate-Client-BadExt2",
@@ -7073,6 +7075,7 @@ func addRenegotiationTests() {
 		flags:         []string{"-renegotiate-freely"},
 		shouldFail:    true,
 		expectedError: ":RENEGOTIATION_MISMATCH:",
+		expectedLocalError: "handshake failure",
 	})
 	testCases = append(testCases, testCase{
 		name:        "Renegotiate-Client-Downgrade",
@@ -7086,6 +7089,7 @@ func addRenegotiationTests() {
 		flags:         []string{"-renegotiate-freely"},
 		shouldFail:    true,
 		expectedError: ":RENEGOTIATION_MISMATCH:",
+		expectedLocalError: "handshake failure",
 	})
 	testCases = append(testCases, testCase{
 		name:        "Renegotiate-Client-Upgrade",
@@ -7099,6 +7103,7 @@ func addRenegotiationTests() {
 		flags:         []string{"-renegotiate-freely"},
 		shouldFail:    true,
 		expectedError: ":RENEGOTIATION_MISMATCH:",
+		expectedLocalError: "handshake failure",
 	})
 	testCases = append(testCases, testCase{
 		name:        "Renegotiate-Client-NoExt-Allowed",