Send TLS alerts for errors in TLS handshake building

diff --git a/src/libtls/tls_fragmentation.c b/src/libtls/tls_fragmentation.c
index 858156b5058d05d1f21ca2798e1771a78b8a9165..6fe3dd65b0fbc7d534ee93dad75bf46140a01a3c 100644 (file)
--- a/src/libtls/tls_fragmentation.c
+++ b/src/libtls/tls_fragmentation.c
@@ -330,6 +330,9 @@ static status_t build_handshake(private_tls_fragmentation_t *this)
        return status;
 }
 
+/**
+ * Build TLS application data
+ */
 static status_t build_application(private_tls_fragmentation_t *this)
 {
        tls_writer_t *msg;

diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index ea2200562a8ea37f1d0bb74e1657919b53661d79..94448bbf752f558085ebb3c6dc3a72f478635abf 100644 (file)
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -451,6 +451,7 @@ static status_t send_certificate(private_tls_peer_t *this,
        if (!this->private)
        {
                DBG1(DBG_TLS, "no TLS peer certificate found for '%Y'", this->peer);
+               this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
                return FAILED;
        }
 
@@ -510,6 +511,7 @@ static status_t send_key_exchange(private_tls_peer_t *this,
        if (!rng)
        {
                DBG1(DBG_TLS, "no suitable RNG found for TLS premaster secret");
+               this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
                return FAILED;
        }
        rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2);
@@ -535,6 +537,7 @@ static status_t send_key_exchange(private_tls_peer_t *this,
        if (!public)
        {
                DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
+               this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
                return FAILED;
        }
        if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
@@ -542,6 +545,7 @@ static status_t send_key_exchange(private_tls_peer_t *this,
        {
                public->destroy(public);
                DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
+               this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
                return FAILED;
        }
 
@@ -566,6 +570,7 @@ static status_t send_certificate_verify(private_tls_peer_t *this,
                !this->crypto->sign_handshake(this->crypto, this->private, writer))
        {
                DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
+               this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
                return FAILED;
        }
 
@@ -586,6 +591,7 @@ static status_t send_finished(private_tls_peer_t *this,
        if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
        {
                DBG1(DBG_TLS, "calculating client finished data failed");
+               this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
                return FAILED;
        }
 

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 0914afad3ce3136f606cf91c5dbba2a179dac1d0..47e12a854f096e0837aec6eb8a5afe2d4d9579fa 100644 (file)
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -414,6 +414,7 @@ static status_t send_server_hello(private_tls_server_t *this,
        if (!rng)
        {
                DBG1(DBG_TLS, "no suitable RNG found to generate server random");
+               this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
                return FAILED;
        }
        rng->get_bytes(rng, sizeof(this->server_random) - 4, this->server_random + 4);
@@ -456,6 +457,7 @@ static status_t send_certificate(private_tls_server_t *this,
        if (!this->private)
        {
                DBG1(DBG_TLS, "no TLS server certificate found for '%Y'", this->server);
+               this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
                return FAILED;
        }
 
@@ -563,6 +565,7 @@ static status_t send_finished(private_tls_server_t *this,
        if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
        {
                DBG1(DBG_TLS, "calculating server finished data failed");
+               this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
                return FAILED;
        }