#define GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR 0x00
#define GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR 0xFF
+#define GNUTLS_FALLBACK_SCSV_MAJOR 0x56
+#define GNUTLS_FALLBACK_SCSV_MINOR 0x00
+
/* would allow for 256 ciphersuites */
#define MAX_CIPHERSUITE_SIZE 512
ALERT_ENTRY(GNUTLS_A_SSL3_NO_CERTIFICATE,
N_("No certificate (SSL 3.0)")),
ALERT_ENTRY(GNUTLS_A_INTERNAL_ERROR, N_("Internal error")),
+ ALERT_ENTRY(GNUTLS_A_INAPPROPRIATE_FALLBACK,
+ N_("Inappropriate fallback")),
ALERT_ENTRY(GNUTLS_A_NO_RENEGOTIATION,
N_("No renegotiation is allowed")),
ALERT_ENTRY(GNUTLS_A_CERTIFICATE_UNOBTAINABLE,
ret = GNUTLS_A_INTERNAL_ERROR;
_level = GNUTLS_AL_FATAL;
break;
+ case GNUTLS_E_INAPPROPRIATE_FALLBACK:
+ ret = GNUTLS_A_INAPPROPRIATE_FALLBACK;
+ _level = GNUTLS_AL_FATAL;
+ break;
case GNUTLS_E_OPENPGP_GETKEY_FAILED:
ret = GNUTLS_A_CERTIFICATE_UNOBTAINABLE;
_level = GNUTLS_AL_FATAL;
GNUTLS_E_INVALID_SESSION),
ERROR_ENTRY(N_("GnuTLS internal error."), GNUTLS_E_INTERNAL_ERROR),
+ ERROR_ENTRY(N_(
+ "A connection with inappropriate fallback was attempted."),
+ GNUTLS_E_INAPPROPRIATE_FALLBACK),
ERROR_ENTRY(N_("An illegal TLS extension was received."),
GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION),
ERROR_ENTRY(N_("A TLS fatal alert has been received."),
* supported by the peer.
*/
- /* First, check for safe renegotiation SCSV.
- */
- if (session->internals.priorities.sr != SR_DISABLED) {
- unsigned int offset;
-
- for (offset = 0; offset < datalen; offset += 2) {
- /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
- if (data[offset] ==
- GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR
- && data[offset + 1] ==
- GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR) {
- _gnutls_handshake_log
- ("HSK[%p]: Received safe renegotiation CS\n",
- session);
- retval = _gnutls_ext_sr_recv_cs(session);
- if (retval < 0) {
- gnutls_assert();
- return retval;
- }
- break;
+ for (i = 0; i < datalen; i += 2) {
+ /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
+ if (session->internals.priorities.sr != SR_DISABLED &&
+ data[i] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR &&
+ data[i + 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR) {
+ _gnutls_handshake_log
+ ("HSK[%p]: Received safe renegotiation CS\n",
+ session);
+ retval = _gnutls_ext_sr_recv_cs(session);
+ if (retval < 0) {
+ gnutls_assert();
+ return retval;
}
}
+
+ /* TLS_FALLBACK_SCSV */
+ if (data[i] == GNUTLS_FALLBACK_SCSV_MAJOR &&
+ data[i + 1] == GNUTLS_FALLBACK_SCSV_MINOR) {
+ _gnutls_handshake_log
+ ("HSK[%p]: Received fallback CS\n",
+ session);
+
+ if (gnutls_protocol_get_version(session) !=
+ GNUTLS_TLS_VERSION_MAX)
+ return GNUTLS_E_INAPPROPRIATE_FALLBACK;
+ }
}
pk_algos_size = MAX_ALGOS;
* @GNUTLS_A_INSUFFICIENT_SECURITY: Insufficient security.
* @GNUTLS_A_USER_CANCELED: User canceled.
* @GNUTLS_A_INTERNAL_ERROR: Internal error.
+ * @GNUTLS_A_INAPPROPRIATE_FALLBACK: Inappropriate fallback,
* @GNUTLS_A_NO_RENEGOTIATION: No renegotiation is allowed.
* @GNUTLS_A_CERTIFICATE_UNOBTAINABLE: Could not retrieve the
* specified certificate.
GNUTLS_A_PROTOCOL_VERSION = 70,
GNUTLS_A_INSUFFICIENT_SECURITY,
GNUTLS_A_INTERNAL_ERROR = 80,
+ GNUTLS_A_INAPPROPRIATE_FALLBACK = 86,
GNUTLS_A_USER_CANCELED = 90,
GNUTLS_A_NO_RENEGOTIATION = 100,
GNUTLS_A_UNSUPPORTED_EXTENSION = 110,
#define GNUTLS_E_PKCS1_WRONG_PAD -57
#define GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION -58
#define GNUTLS_E_INTERNAL_ERROR -59
+#define GNUTLS_E_INAPPROPRIATE_FALLBACK -60 /*GNUTLS_A_INAPPROPRIATE_FALLBACK*/
#define GNUTLS_E_DH_PRIME_UNACCEPTABLE -63
#define GNUTLS_E_FILE_ERROR -64
#define GNUTLS_E_TOO_MANY_EMPTY_PACKETS -78
projects / thirdparty / gnutls.git / commitdiff
