a non-fatal error which will propagate and in many cases it shouldn't.
Avoid sending no renegotiation alert when a client connects to an unsafe server. Thanks
to Tomas Hoger for the report.
ret = GNUTLS_A_ILLEGAL_PARAMETER;
_level = GNUTLS_AL_FATAL;
break;
+ case GNUTLS_E_UNKNOWN_SRP_USERNAME:
+ ret = GNUTLS_A_UNKNOWN_PSK_IDENTITY;
+ _level = GNUTLS_AL_FATAL;
+ break;
case GNUTLS_E_ASN1_ELEMENT_NOT_FOUND:
case GNUTLS_E_ASN1_IDENTIFIER_NOT_FOUND:
case GNUTLS_E_ASN1_DER_ERROR:
_level = GNUTLS_AL_FATAL;
break;
case GNUTLS_E_REHANDSHAKE:
+ case GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED:
ret = GNUTLS_A_NO_RENEGOTIATION;
_level = GNUTLS_AL_WARNING;
break;
GNUTLS_E_OPENPGP_SUBKEY_ERROR, 1),
ERROR_ENTRY (N_("Safe renegotiation failed."),
GNUTLS_E_SAFE_RENEGOTIATION_FAILED, 1),
+ ERROR_ENTRY (N_("Unsafe renegotiation denied."),
+ GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED, 1),
ERROR_ENTRY (N_("The SRP username supplied is illegal."),
GNUTLS_E_ILLEGAL_SRP_USERNAME, 1),
+ ERROR_ENTRY (N_("The SRP username supplied is unknown."),
+ GNUTLS_E_UNKNOWN_SRP_USERNAME, 1),
ERROR_ENTRY (N_("The OpenPGP fingerprint is not supported."),
GNUTLS_E_OPENPGP_FINGERPRINT_UNSUPPORTED, 1),
* alert and abort.
*/
gnutls_assert ();
- ret = gnutls_alert_send (session, GNUTLS_AL_FATAL,
- GNUTLS_A_UNKNOWN_PSK_IDENTITY);
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- return GNUTLS_E_ILLEGAL_SRP_USERNAME;
+ return GNUTLS_E_UNKNOWN_SRP_USERNAME;
}
}
#endif
{
if (session->internals.priorities.unsafe_renegotiation != 0)
{
- _gnutls_handshake_log ("Allowing unsafe renegotiation!\n");
+ _gnutls_handshake_log ("Allowing unsafe (re)negotiation!\n");
}
else
{
gnutls_assert();
- _gnutls_handshake_log ("Denying unsafe renegotiation.\n");
- ret = gnutls_alert_send (session, GNUTLS_AL_WARNING,
- GNUTLS_A_NO_RENEGOTIATION);
-
- if (ret < 0)
- {
- gnutls_assert ();
- return ret;
- }
-
- return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
+ _gnutls_handshake_log ("Denying unsafe (re)negotiation.\n");
+ if (session->security_parameters.entity == GNUTLS_SERVER)
+ return GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED; /* send no renegotiation alert */
+ else
+ return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
}
}
else
#define GNUTLS_E_UNKNOWN_ALGORITHM -105
#define GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM -106
#define GNUTLS_E_SAFE_RENEGOTIATION_FAILED -107
+#define GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED -108
+#define GNUTLS_E_UNKNOWN_SRP_USERNAME -109
#define GNUTLS_E_BASE64_ENCODING_ERROR -201
#define GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY -202 /* obsolete */