From a0ca87eb68cda0d9e20644a4c81ec38f70e51690 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 24 Jun 2021 10:27:37 +0100 Subject: [PATCH] Remove MBEDTLS_ERR_SSL_BAD_HS_FINISHED Signed-off-by: Hanno Becker --- include/mbedtls/error.h | 4 ++-- include/mbedtls/ssl.h | 2 +- library/ssl_tls.c | 16 +++++++++++----- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 6ba280ab1..54465149f 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -102,8 +102,8 @@ * SSL 5 2 (Started from 0x5F00) * CIPHER 6 8 (Started from 0x6080) * SSL 6 24 (Started from top, plus 0x6000) - * SSL 7 24 (Started from 0x7080, gaps at - * 0x7500-0x7580, 0x7B80-0x7E00) + * SSL 7 23 (Started from 0x7080, gaps at + * 0x7500-0x7580, 0x7B80-0x7E80) * * Module dependent error code (5 bits 0x.00.-0x.F8.) */ diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index d8d7f579e..2751aa25a 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -91,7 +91,7 @@ /* Error space gap */ /* Error space gap */ /* Error space gap */ -#define MBEDTLS_ERR_SSL_BAD_HS_FINISHED -0x7E80 /**< Processing of the Finished handshake message failed. */ +/* Error space gap */ #define MBEDTLS_ERR_SSL_ALLOC_FAILED -0x7F00 /**< Memory allocation failed */ #define MBEDTLS_ERR_SSL_HW_ACCEL_FAILED -0x7F80 /**< Hardware acceleration function returned with error */ #define MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH -0x6F80 /**< Hardware acceleration function skipped / left alone data */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1396400ce..d11658217 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2903,13 +2903,19 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) hash_len = 12; - if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED || - ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len ) + if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED ) + { + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); + return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + } + + if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); - return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), @@ -2917,8 +2923,8 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); - return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } #if defined(MBEDTLS_SSL_RENEGOTIATION)