Send correct fatal alert the renegotation extension fails to match.
https://tools.ietf.org/html/rfc5746#section-3.4 says that handshake_failure is the correct alert to send, but we were sending illegal_parameter. Change-Id: Ife951c5951f6f8e4c31a3f2f57307bfed1c24561 Reviewed-on: https://boringssl-review.googlesource.com/18408 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
parent
22df69103f
commit
10e1060261
@ -802,7 +802,7 @@ static int ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
|
|||||||
#endif
|
#endif
|
||||||
if (!ok) {
|
if (!ok) {
|
||||||
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
|
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
|
||||||
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
|
*out_alert = SSL_AD_HANDSHAKE_FAILURE;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
ssl->s3->send_connection_binding = 1;
|
ssl->s3->send_connection_binding = 1;
|
||||||
|
@ -7047,6 +7047,7 @@ func addRenegotiationTests() {
|
|||||||
flags: []string{"-renegotiate-freely"},
|
flags: []string{"-renegotiate-freely"},
|
||||||
shouldFail: true,
|
shouldFail: true,
|
||||||
expectedError: ":RENEGOTIATION_MISMATCH:",
|
expectedError: ":RENEGOTIATION_MISMATCH:",
|
||||||
|
expectedLocalError: "handshake failure",
|
||||||
})
|
})
|
||||||
testCases = append(testCases, testCase{
|
testCases = append(testCases, testCase{
|
||||||
name: "Renegotiate-Client-BadExt",
|
name: "Renegotiate-Client-BadExt",
|
||||||
@ -7060,6 +7061,7 @@ func addRenegotiationTests() {
|
|||||||
flags: []string{"-renegotiate-freely"},
|
flags: []string{"-renegotiate-freely"},
|
||||||
shouldFail: true,
|
shouldFail: true,
|
||||||
expectedError: ":RENEGOTIATION_MISMATCH:",
|
expectedError: ":RENEGOTIATION_MISMATCH:",
|
||||||
|
expectedLocalError: "handshake failure",
|
||||||
})
|
})
|
||||||
testCases = append(testCases, testCase{
|
testCases = append(testCases, testCase{
|
||||||
name: "Renegotiate-Client-BadExt2",
|
name: "Renegotiate-Client-BadExt2",
|
||||||
@ -7073,6 +7075,7 @@ func addRenegotiationTests() {
|
|||||||
flags: []string{"-renegotiate-freely"},
|
flags: []string{"-renegotiate-freely"},
|
||||||
shouldFail: true,
|
shouldFail: true,
|
||||||
expectedError: ":RENEGOTIATION_MISMATCH:",
|
expectedError: ":RENEGOTIATION_MISMATCH:",
|
||||||
|
expectedLocalError: "handshake failure",
|
||||||
})
|
})
|
||||||
testCases = append(testCases, testCase{
|
testCases = append(testCases, testCase{
|
||||||
name: "Renegotiate-Client-Downgrade",
|
name: "Renegotiate-Client-Downgrade",
|
||||||
@ -7086,6 +7089,7 @@ func addRenegotiationTests() {
|
|||||||
flags: []string{"-renegotiate-freely"},
|
flags: []string{"-renegotiate-freely"},
|
||||||
shouldFail: true,
|
shouldFail: true,
|
||||||
expectedError: ":RENEGOTIATION_MISMATCH:",
|
expectedError: ":RENEGOTIATION_MISMATCH:",
|
||||||
|
expectedLocalError: "handshake failure",
|
||||||
})
|
})
|
||||||
testCases = append(testCases, testCase{
|
testCases = append(testCases, testCase{
|
||||||
name: "Renegotiate-Client-Upgrade",
|
name: "Renegotiate-Client-Upgrade",
|
||||||
@ -7099,6 +7103,7 @@ func addRenegotiationTests() {
|
|||||||
flags: []string{"-renegotiate-freely"},
|
flags: []string{"-renegotiate-freely"},
|
||||||
shouldFail: true,
|
shouldFail: true,
|
||||||
expectedError: ":RENEGOTIATION_MISMATCH:",
|
expectedError: ":RENEGOTIATION_MISMATCH:",
|
||||||
|
expectedLocalError: "handshake failure",
|
||||||
})
|
})
|
||||||
testCases = append(testCases, testCase{
|
testCases = append(testCases, testCase{
|
||||||
name: "Renegotiate-Client-NoExt-Allowed",
|
name: "Renegotiate-Client-NoExt-Allowed",
|
||||||
|
Loading…
Reference in New Issue
Block a user