Include a more meaningful error message when rejecting legacy renegotiation
authorDr. Stephen Henson <steve@openssl.org>
Wed, 18 Nov 2009 14:20:21 +0000 (14:20 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 18 Nov 2009 14:20:21 +0000 (14:20 +0000)
ssl/ssl.h
ssl/ssl_err.c
ssl/t1_lib.c

index c4a5fc9..1d82a6d 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1954,7 +1954,9 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_LOAD_CLIENT_CA_FILE                   185
 #define SSL_F_SSL_NEW                                   186
 #define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT     300
+#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT              302
 #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT     301
+#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT              303
 #define SSL_F_SSL_PEEK                                  270
 #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT            281
 #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT            282
@@ -2251,6 +2253,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE                         253
 #define SSL_R_UNKNOWN_SSL_VERSION                       254
 #define SSL_R_UNKNOWN_STATE                             255
+#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED      338
 #define SSL_R_UNSUPPORTED_CIPHER                        256
 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM                 257
 #define SSL_R_UNSUPPORTED_DIGEST_TYPE                   326
index f20c054..7540bd4 100644 (file)
@@ -226,7 +226,9 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE),      "SSL_load_client_CA_file"},
 {ERR_FUNC(SSL_F_SSL_NEW),      "SSL_new"},
 {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT),        "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT),        "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_SSL_PEEK),     "SSL_peek"},
 {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT),       "SSL_PREPARE_CLIENTHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT),       "SSL_PREPARE_SERVERHELLO_TLSEXT"},
@@ -526,6 +528,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
 {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION)   ,"unknown ssl version"},
 {ERR_REASON(SSL_R_UNKNOWN_STATE)         ,"unknown state"},
+{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
 {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
 {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
 {ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"},
index af196de..43c651f 100644 (file)
@@ -636,6 +636,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        {
                        /* We should always see one extension: the renegotiate extension */
                        *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+                       SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
                        return 0;
                        }
                return 1;
@@ -965,6 +966,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
        if (s->new_session && !renegotiate_seen
                && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
                {
+               SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
                *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
                return 0;
                }
@@ -992,6 +994,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        {
                        /* We should always see one extension: the renegotiate extension */
                        *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+                       SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
                        return 0;
                        }
                return 1;
@@ -1130,6 +1133,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
                {
                *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+               SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
                return 0;
                }