From: Martin Willi Date: Wed, 25 Aug 2010 16:24:27 +0000 (+0200) Subject: Send TLS alerts for errors in TLS handshake building X-Git-Tag: 4.5.0~399 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a596006e3f5ed37cc9d5fee773d9fd02471c295d;p=thirdparty%2Fstrongswan.git Send TLS alerts for errors in TLS handshake building --- diff --git a/src/libtls/tls_fragmentation.c b/src/libtls/tls_fragmentation.c index 858156b505..6fe3dd65b0 100644 --- a/src/libtls/tls_fragmentation.c +++ b/src/libtls/tls_fragmentation.c @@ -330,6 +330,9 @@ static status_t build_handshake(private_tls_fragmentation_t *this) return status; } +/** + * Build TLS application data + */ static status_t build_application(private_tls_fragmentation_t *this) { tls_writer_t *msg; diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c index ea2200562a..94448bbf75 100644 --- a/src/libtls/tls_peer.c +++ b/src/libtls/tls_peer.c @@ -451,6 +451,7 @@ static status_t send_certificate(private_tls_peer_t *this, if (!this->private) { DBG1(DBG_TLS, "no TLS peer certificate found for '%Y'", this->peer); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); return FAILED; } @@ -510,6 +511,7 @@ static status_t send_key_exchange(private_tls_peer_t *this, if (!rng) { DBG1(DBG_TLS, "no suitable RNG found for TLS premaster secret"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); return FAILED; } rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2); @@ -535,6 +537,7 @@ static status_t send_key_exchange(private_tls_peer_t *this, if (!public) { DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server); + this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN); return FAILED; } if (!public->encrypt(public, ENCRYPT_RSA_PKCS1, @@ -542,6 +545,7 @@ static status_t send_key_exchange(private_tls_peer_t *this, { public->destroy(public); DBG1(DBG_TLS, "encrypting TLS premaster secret failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE); return FAILED; } @@ -566,6 +570,7 @@ static status_t send_certificate_verify(private_tls_peer_t *this, !this->crypto->sign_handshake(this->crypto, this->private, writer)) { DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); return FAILED; } @@ -586,6 +591,7 @@ static status_t send_finished(private_tls_peer_t *this, if (!this->crypto->calculate_finished(this->crypto, "client finished", buf)) { DBG1(DBG_TLS, "calculating client finished data failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); return FAILED; } diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c index 0914afad3c..47e12a854f 100644 --- a/src/libtls/tls_server.c +++ b/src/libtls/tls_server.c @@ -414,6 +414,7 @@ static status_t send_server_hello(private_tls_server_t *this, if (!rng) { DBG1(DBG_TLS, "no suitable RNG found to generate server random"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); return FAILED; } rng->get_bytes(rng, sizeof(this->server_random) - 4, this->server_random + 4); @@ -456,6 +457,7 @@ static status_t send_certificate(private_tls_server_t *this, if (!this->private) { DBG1(DBG_TLS, "no TLS server certificate found for '%Y'", this->server); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); return FAILED; } @@ -563,6 +565,7 @@ static status_t send_finished(private_tls_server_t *this, if (!this->crypto->calculate_finished(this->crypto, "server finished", buf)) { DBG1(DBG_TLS, "calculating server finished data failed"); + this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); return FAILED; }