Send correct fatal alert the renegotation extension fails to match.

https://tools.ietf.org/html/rfc5746#section-3.4 says that
handshake_failure is the correct alert to send, but we were sending
illegal_parameter.

Change-Id: Ife951c5951f6f8e4c31a3f2f57307bfed1c24561
Reviewed-on: https://boringssl-review.googlesource.com/18408
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
Adam Langley 2017-07-25 13:33:21 -07:00 committed by CQ bot account: commit-bot@chromium.org
parent 22df69103f
commit 10e1060261
2 changed files with 6 additions and 1 deletions

View File

@ -802,7 +802,7 @@ static int ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
#endif #endif
if (!ok) { if (!ok) {
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH); OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
*out_alert = SSL_AD_ILLEGAL_PARAMETER; *out_alert = SSL_AD_HANDSHAKE_FAILURE;
return 0; return 0;
} }
ssl->s3->send_connection_binding = 1; ssl->s3->send_connection_binding = 1;

View File

@ -7047,6 +7047,7 @@ func addRenegotiationTests() {
flags: []string{"-renegotiate-freely"}, flags: []string{"-renegotiate-freely"},
shouldFail: true, shouldFail: true,
expectedError: ":RENEGOTIATION_MISMATCH:", expectedError: ":RENEGOTIATION_MISMATCH:",
expectedLocalError: "handshake failure",
}) })
testCases = append(testCases, testCase{ testCases = append(testCases, testCase{
name: "Renegotiate-Client-BadExt", name: "Renegotiate-Client-BadExt",
@ -7060,6 +7061,7 @@ func addRenegotiationTests() {
flags: []string{"-renegotiate-freely"}, flags: []string{"-renegotiate-freely"},
shouldFail: true, shouldFail: true,
expectedError: ":RENEGOTIATION_MISMATCH:", expectedError: ":RENEGOTIATION_MISMATCH:",
expectedLocalError: "handshake failure",
}) })
testCases = append(testCases, testCase{ testCases = append(testCases, testCase{
name: "Renegotiate-Client-BadExt2", name: "Renegotiate-Client-BadExt2",
@ -7073,6 +7075,7 @@ func addRenegotiationTests() {
flags: []string{"-renegotiate-freely"}, flags: []string{"-renegotiate-freely"},
shouldFail: true, shouldFail: true,
expectedError: ":RENEGOTIATION_MISMATCH:", expectedError: ":RENEGOTIATION_MISMATCH:",
expectedLocalError: "handshake failure",
}) })
testCases = append(testCases, testCase{ testCases = append(testCases, testCase{
name: "Renegotiate-Client-Downgrade", name: "Renegotiate-Client-Downgrade",
@ -7086,6 +7089,7 @@ func addRenegotiationTests() {
flags: []string{"-renegotiate-freely"}, flags: []string{"-renegotiate-freely"},
shouldFail: true, shouldFail: true,
expectedError: ":RENEGOTIATION_MISMATCH:", expectedError: ":RENEGOTIATION_MISMATCH:",
expectedLocalError: "handshake failure",
}) })
testCases = append(testCases, testCase{ testCases = append(testCases, testCase{
name: "Renegotiate-Client-Upgrade", name: "Renegotiate-Client-Upgrade",
@ -7099,6 +7103,7 @@ func addRenegotiationTests() {
flags: []string{"-renegotiate-freely"}, flags: []string{"-renegotiate-freely"},
shouldFail: true, shouldFail: true,
expectedError: ":RENEGOTIATION_MISMATCH:", expectedError: ":RENEGOTIATION_MISMATCH:",
expectedLocalError: "handshake failure",
}) })
testCases = append(testCases, testCase{ testCases = append(testCases, testCase{
name: "Renegotiate-Client-NoExt-Allowed", name: "Renegotiate-Client-NoExt-Allowed",