mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-21 15:41:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Rename MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE

Browse Source 
New name MBEDTLS_ERR_SSL_BAD_CERTIFICATE

Also, replace some instances of MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
by MBEDTLS_ERR_SSL_DECODE_ERROR and MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER
as fit.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit is contained in:
Hanno Becker 2021-06-24 11:03:13 +01:00 committed by Dave Rodgman
parent 5697af0d3d
commit 9ed1ba5926
3 changed files with 20 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/mbedtls/ssl.h
View File

@ -82,7 +82,7 @@
#define MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY -0x7880 /**< The peer notified us that the connection is going to be closed. */ #define MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY -0x7880 /**< The peer notified us that the connection is going to be closed. */
#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO -0x7900 /**< Processing of the ClientHello handshake message failed. */ #define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO -0x7900 /**< Processing of the ClientHello handshake message failed. */
#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO -0x7980 /**< Processing of the ServerHello handshake message failed. */ #define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO -0x7980 /**< Processing of the ServerHello handshake message failed. */
#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE -0x7A00 /**< Processing of the Certificate handshake message failed. */ #define MBEDTLS_ERR_SSL_BAD_CERTIFICATE -0x7A00 /**< Processing of the Certificate handshake message failed. */
/* Error space gap */ /* Error space gap */
/* Error space gap */ /* Error space gap */
/* Error space gap */ /* Error space gap */

2
library/ssl_cli.c
View File

@ -2876,7 +2876,7 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
if( ssl_check_server_ecdh_params( ssl ) != 0 ) if( ssl_check_server_ecdh_params( ssl ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); return( MBEDTLS_ERR_SSL_BAD_CERTIFICATE );
} }
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)

30
library/ssl_tls.c
View File

@ -1855,13 +1855,19 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
} }
if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE || if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE )
ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 ) {
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
}
if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); return( MBEDTLS_ERR_SSL_DECODE_ERROR );
} }
i = mbedtls_ssl_hs_hdr_len( ssl ); i = mbedtls_ssl_hs_hdr_len( ssl );
@ -1877,7 +1883,7 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); return( MBEDTLS_ERR_SSL_DECODE_ERROR );
} }
/* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */ /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
@ -1892,7 +1898,7 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
mbedtls_ssl_send_alert_message( ssl, mbedtls_ssl_send_alert_message( ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); return( MBEDTLS_ERR_SSL_BAD_CERTIFICATE );
} }
/* In theory, the CRT can be up to 2**24 Bytes, but we don't support /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
* anything beyond 2**16 ~ 64K. */ * anything beyond 2**16 ~ 64K. */
@ -1902,7 +1908,7 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
mbedtls_ssl_send_alert_message( ssl, mbedtls_ssl_send_alert_message( ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); return( MBEDTLS_ERR_SSL_DECODE_ERROR );
} }
/* Read length of the next CRT in the chain. */ /* Read length of the next CRT in the chain. */
@ -1916,7 +1922,7 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
mbedtls_ssl_send_alert_message( ssl, mbedtls_ssl_send_alert_message( ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); return( MBEDTLS_ERR_SSL_DECODE_ERROR );
} }
/* Check if we're handling the first CRT in the chain. */ /* Check if we're handling the first CRT in the chain. */
@ -1937,8 +1943,8 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
mbedtls_ssl_send_alert_message( ssl, mbedtls_ssl_send_alert_message( ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED ); MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
} }
/* Now we can safely free the original chain. */ /* Now we can safely free the original chain. */
@ -2148,7 +2154,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
if( ret == 0 ) if( ret == 0 )
ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
} }
} }
#endif /* MBEDTLS_ECP_C */ #endif /* MBEDTLS_ECP_C */
@ -2160,7 +2166,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
if( ret == 0 ) if( ret == 0 )
ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
} }
/* mbedtls_x509_crt_verify_with_profile is supposed to report a /* mbedtls_x509_crt_verify_with_profile is supposed to report a
@ -2171,7 +2177,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
* ssl_parse_certificate even if verification was optional. */ * ssl_parse_certificate even if verification was optional. */
if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) ) ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE ) )
{ {
ret = 0; ret = 0;
} }