case GNUTLS_E_ILLEGAL_SRP_USERNAME:
case GNUTLS_E_PK_INVALID_PUBKEY:
case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM:
+ case GNUTLS_E_RECEIVED_DISALLOWED_NAME:
ret = GNUTLS_A_ILLEGAL_PARAMETER;
_level = GNUTLS_AL_FATAL;
break;
ERROR_ENTRY(N_("An illegal parameter was found."),
GNUTLS_E_ILLEGAL_PARAMETER),
ERROR_ENTRY(N_("Error while reading file."), GNUTLS_E_FILE_ERROR),
+ ERROR_ENTRY(N_("A disallowed SNI server name has been received."),
+ GNUTLS_E_RECEIVED_DISALLOWED_NAME),
ERROR_ENTRY(N_("ASN1 parser: Element was not found."),
GNUTLS_E_ASN1_ELEMENT_NOT_FOUND),
*
* If a GnuTLS function returns a negative error code you may feed that
* value to this function to see if the error condition is fatal to
- * a TLS session (i.e., must be terminated).
+ * a TLS session (i.e., must be terminated).
*
* Note that you may also want to check the error code manually, since some
* non-fatal errors to the protocol (such as a warning alert or
* a rehandshake request) may be fatal for your program.
*
* This function is only useful if you are dealing with errors from
- * functions that relate to a TLS session (e.g., record layer or handshake
+ * functions that relate to a TLS session (e.g., record layer or handshake
* layer handling functions).
*
* Returns: Non-zero value on fatal errors or zero on non-fatal.
DECR_LEN(data_size, len);
if (type == 0) { /* NAME_DNS */
- if (!_gnutls_dnsname_is_valid((char*)p, len))
- return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+ if (!_gnutls_dnsname_is_valid((char*)p, len)) {
+ _gnutls_handshake_log
+ ("HSK[%p]: Server name is not acceptable: '%.*s'\n",
+ session, (int) len, p);
+ return gnutls_assert_val(GNUTLS_E_RECEIVED_DISALLOWED_NAME);
+ }
name.data = (void*)p;
name.size = len;
#define GNUTLS_E_TOO_MANY_EMPTY_PACKETS -78
#define GNUTLS_E_UNKNOWN_PK_ALGORITHM -80
#define GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS -81
+#define GNUTLS_E_RECEIVED_DISALLOWED_NAME -82 /* GNUTLS_A_ILLEGAL_PARAMETER */
/* returned if you need to generate temporary RSA
* parameters. These are needed for export cipher suites.
test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", 0, 0);
test_cli_serv_vf(x509_cred, clicred, "NORMAL", "www.νίκοσ.com");
test_cli_serv_vf(x509_cred, clicred, "NORMAL", "www.νίκος.com");
- test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:www.νίκος.com", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, GNUTLS_E_AGAIN);
+ test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:www.νίκος.com", GNUTLS_E_RECEIVED_DISALLOWED_NAME, GNUTLS_E_AGAIN);
gnutls_certificate_free_credentials(x509_cred);
gnutls_certificate_free_credentials(clicred);
start("tls1.2 test.example.com", PRIO_TLS12, 0, "test.example.com", strlen("test.example.com"), "test.example.com", strlen("test.example.com"), 0);
start("tls1.2 longtest.example.com", PRIO_TLS12, 0, "longtest.example.com.", strlen("longtest.example.com"), "longtest.example.com.", strlen("longtest.example.com"), 0);
/* test embedded NULL */
- start("tls1.2 embedded-NULL", PRIO_TLS12, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+ start("tls1.2 embedded-NULL", PRIO_TLS12, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_DISALLOWED_NAME);
start("tls1.3 NULL", PRIO_TLS13, 0, NULL, 0, NULL, 0, 0);
start("tls1.3 empty", PRIO_TLS13, 0, "", 0, "", 0, 0);
start("tls1.3 test.example.com", PRIO_TLS13, 0, "test.example.com", strlen("test.example.com"), "test.example.com", strlen("test.example.com"), 0);
start("tls1.3 longtest.example.com", PRIO_TLS13, 0, "longtest.example.com.", strlen("longtest.example.com"), "longtest.example.com.", strlen("longtest.example.com"), 0);
/* test embedded NULL */
- start("tls1.3 embedded-NULL", PRIO_TLS13, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+ start("tls1.3 embedded-NULL", PRIO_TLS13, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_DISALLOWED_NAME);
start("NULL", PRIO_NORMAL, 0, NULL, 0, NULL, 0, 0);
start("empty", PRIO_NORMAL, 0, "", 0, "", 0, 0);
start("test.example.com", PRIO_NORMAL, 0, "test.example.com", strlen("test.example.com"), "test.example.com", strlen("test.example.com"), 0);
start("longtest.example.com", PRIO_NORMAL, 0, "longtest.example.com.", strlen("longtest.example.com"), "longtest.example.com.", strlen("longtest.example.com"), 0);
/* test embedded NULL */
- start("embedded-NULL", PRIO_NORMAL, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+ start("embedded-NULL", PRIO_NORMAL, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_DISALLOWED_NAME);
}
#endif /* _WIN32 */
/* the raw DNS should result to verification failure as the advertized name should
* not be considered and the first cert should be provided */
- test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, GNUTLS_E_AGAIN);
+ test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_DISALLOWED_NAME, GNUTLS_E_AGAIN);
gnutls_certificate_free_credentials(x509_cred);
gnutls_certificate_free_credentials(clicred);
test_cli_serv(x509_cred, clicred, "NORMAL", "简体中文.εξτρα.com", NULL, NULL, NULL); /* the second DNS name of cert */
test_cli_serv(x509_cred, clicred, "NORMAL", "xn--fiqu1az03c18t.xn--mxah1amo.com", NULL, NULL, NULL); /* its IDNA equivalent */
- test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, GNUTLS_E_AGAIN);
+ test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_DISALLOWED_NAME, GNUTLS_E_AGAIN);
gnutls_certificate_free_credentials(x509_cred);
gnutls_certificate_free_credentials(clicred);
projects / thirdparty / gnutls.git / commitdiff
