diff options
author | Tim Rühsen <tim.ruehsen@gmx.de> | 2019-01-26 21:44:28 +0100 |
---|---|---|
committer | Tim Rühsen <tim.ruehsen@gmx.de> | 2019-01-31 10:02:36 +0100 |
commit | 71d921edc4a9716a9d6c01dd9307ad892f55a17a (patch) | |
tree | 9394174daa5fea800916acb06bdf9b0189887ea5 | |
parent | 21d2b7e766323fbd7eed6cf2efe7743991a2099c (diff) | |
download | gnutls-71d921edc4a9716a9d6c01dd9307ad892f55a17a.tar.gz |
Add GNUTLS_E_RECEIVED_DISALLOWED_NAME for illegal SNI names
An illegal/disallowed SNI server name previously generated
the misleading message "An illegal parameter has been received.".
This commit changes it to
"A disallowed SNI server name has been received.".
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
-rw-r--r-- | lib/alert.c | 1 | ||||
-rw-r--r-- | lib/errors.c | 6 | ||||
-rw-r--r-- | lib/ext/server_name.c | 8 | ||||
-rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 1 | ||||
-rw-r--r-- | tests/cert_verify_inv_utf8.c | 2 | ||||
-rw-r--r-- | tests/mini-server-name.c | 6 | ||||
-rw-r--r-- | tests/set_key_utf8.c | 2 | ||||
-rw-r--r-- | tests/set_x509_key_utf8.c | 2 |
8 files changed, 18 insertions, 10 deletions
diff --git a/lib/alert.c b/lib/alert.c index 15f5183430..a2d1725e6b 100644 --- a/lib/alert.c +++ b/lib/alert.c @@ -224,6 +224,7 @@ int gnutls_error_to_alert(int err, int *level) case GNUTLS_E_ILLEGAL_SRP_USERNAME: case GNUTLS_E_PK_INVALID_PUBKEY: case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM: + case GNUTLS_E_RECEIVED_DISALLOWED_NAME: ret = GNUTLS_A_ILLEGAL_PARAMETER; _level = GNUTLS_AL_FATAL; break; diff --git a/lib/errors.c b/lib/errors.c index a1bdf9b873..520958b70c 100644 --- a/lib/errors.c +++ b/lib/errors.c @@ -206,6 +206,8 @@ static const gnutls_error_entry error_entries[] = { ERROR_ENTRY(N_("An illegal parameter was found."), GNUTLS_E_ILLEGAL_PARAMETER), ERROR_ENTRY(N_("Error while reading file."), GNUTLS_E_FILE_ERROR), + ERROR_ENTRY(N_("A disallowed SNI server name has been received."), + GNUTLS_E_RECEIVED_DISALLOWED_NAME), ERROR_ENTRY(N_("ASN1 parser: Element was not found."), GNUTLS_E_ASN1_ELEMENT_NOT_FOUND), @@ -462,14 +464,14 @@ static const gnutls_error_entry non_fatal_error_entries[] = { * * If a GnuTLS function returns a negative error code you may feed that * value to this function to see if the error condition is fatal to - * a TLS session (i.e., must be terminated). + * a TLS session (i.e., must be terminated). * * Note that you may also want to check the error code manually, since some * non-fatal errors to the protocol (such as a warning alert or * a rehandshake request) may be fatal for your program. * * This function is only useful if you are dealing with errors from - * functions that relate to a TLS session (e.g., record layer or handshake + * functions that relate to a TLS session (e.g., record layer or handshake * layer handling functions). * * Returns: Non-zero value on fatal errors or zero on non-fatal. diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c index 1f9f3814f1..9c8c533490 100644 --- a/lib/ext/server_name.c +++ b/lib/ext/server_name.c @@ -105,8 +105,12 @@ _gnutls_server_name_recv_params(gnutls_session_t session, DECR_LEN(data_size, len); if (type == 0) { /* NAME_DNS */ - if (!_gnutls_dnsname_is_valid((char*)p, len)) - return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + if (!_gnutls_dnsname_is_valid((char*)p, len)) { + _gnutls_handshake_log + ("HSK[%p]: Server name is not acceptable: '%.*s'\n", + session, (int) len, p); + return gnutls_assert_val(GNUTLS_E_RECEIVED_DISALLOWED_NAME); + } name.data = (void*)p; name.size = len; diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 7e6a592447..8359fe2ea5 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -3141,6 +3141,7 @@ void gnutls_fips140_set_mode(gnutls_fips_mode_t mode, unsigned flags); #define GNUTLS_E_TOO_MANY_EMPTY_PACKETS -78 #define GNUTLS_E_UNKNOWN_PK_ALGORITHM -80 #define GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS -81 +#define GNUTLS_E_RECEIVED_DISALLOWED_NAME -82 /* GNUTLS_A_ILLEGAL_PARAMETER */ /* returned if you need to generate temporary RSA * parameters. These are needed for export cipher suites. diff --git a/tests/cert_verify_inv_utf8.c b/tests/cert_verify_inv_utf8.c index 4afd52311d..095a55f3df 100644 --- a/tests/cert_verify_inv_utf8.c +++ b/tests/cert_verify_inv_utf8.c @@ -137,7 +137,7 @@ static void auto_parse(void) test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", 0, 0); test_cli_serv_vf(x509_cred, clicred, "NORMAL", "www.νίκοσ.com"); test_cli_serv_vf(x509_cred, clicred, "NORMAL", "www.νίκος.com"); - test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:www.νίκος.com", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, GNUTLS_E_AGAIN); + test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:www.νίκος.com", GNUTLS_E_RECEIVED_DISALLOWED_NAME, GNUTLS_E_AGAIN); gnutls_certificate_free_credentials(x509_cred); gnutls_certificate_free_credentials(clicred); diff --git a/tests/mini-server-name.c b/tests/mini-server-name.c index 0da27cc3e1..e18dcfc150 100644 --- a/tests/mini-server-name.c +++ b/tests/mini-server-name.c @@ -310,21 +310,21 @@ void doit(void) start("tls1.2 test.example.com", PRIO_TLS12, 0, "test.example.com", strlen("test.example.com"), "test.example.com", strlen("test.example.com"), 0); start("tls1.2 longtest.example.com", PRIO_TLS12, 0, "longtest.example.com.", strlen("longtest.example.com"), "longtest.example.com.", strlen("longtest.example.com"), 0); /* test embedded NULL */ - start("tls1.2 embedded-NULL", PRIO_TLS12, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + start("tls1.2 embedded-NULL", PRIO_TLS12, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_DISALLOWED_NAME); start("tls1.3 NULL", PRIO_TLS13, 0, NULL, 0, NULL, 0, 0); start("tls1.3 empty", PRIO_TLS13, 0, "", 0, "", 0, 0); start("tls1.3 test.example.com", PRIO_TLS13, 0, "test.example.com", strlen("test.example.com"), "test.example.com", strlen("test.example.com"), 0); start("tls1.3 longtest.example.com", PRIO_TLS13, 0, "longtest.example.com.", strlen("longtest.example.com"), "longtest.example.com.", strlen("longtest.example.com"), 0); /* test embedded NULL */ - start("tls1.3 embedded-NULL", PRIO_TLS13, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + start("tls1.3 embedded-NULL", PRIO_TLS13, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_DISALLOWED_NAME); start("NULL", PRIO_NORMAL, 0, NULL, 0, NULL, 0, 0); start("empty", PRIO_NORMAL, 0, "", 0, "", 0, 0); start("test.example.com", PRIO_NORMAL, 0, "test.example.com", strlen("test.example.com"), "test.example.com", strlen("test.example.com"), 0); start("longtest.example.com", PRIO_NORMAL, 0, "longtest.example.com.", strlen("longtest.example.com"), "longtest.example.com.", strlen("longtest.example.com"), 0); /* test embedded NULL */ - start("embedded-NULL", PRIO_NORMAL, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + start("embedded-NULL", PRIO_NORMAL, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_DISALLOWED_NAME); } #endif /* _WIN32 */ diff --git a/tests/set_key_utf8.c b/tests/set_key_utf8.c index 7a02e45618..81d5ef2c05 100644 --- a/tests/set_key_utf8.c +++ b/tests/set_key_utf8.c @@ -140,7 +140,7 @@ static void auto_parse(void) /* the raw DNS should result to verification failure as the advertized name should * not be considered and the first cert should be provided */ - test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, GNUTLS_E_AGAIN); + test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_DISALLOWED_NAME, GNUTLS_E_AGAIN); gnutls_certificate_free_credentials(x509_cred); gnutls_certificate_free_credentials(clicred); diff --git a/tests/set_x509_key_utf8.c b/tests/set_x509_key_utf8.c index 7cc5b99ea8..7753c7f4c9 100644 --- a/tests/set_x509_key_utf8.c +++ b/tests/set_x509_key_utf8.c @@ -177,7 +177,7 @@ void doit(void) test_cli_serv(x509_cred, clicred, "NORMAL", "简体中文.εξτρα.com", NULL, NULL, NULL); /* the second DNS name of cert */ test_cli_serv(x509_cred, clicred, "NORMAL", "xn--fiqu1az03c18t.xn--mxah1amo.com", NULL, NULL, NULL); /* its IDNA equivalent */ - test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, GNUTLS_E_AGAIN); + test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_DISALLOWED_NAME, GNUTLS_E_AGAIN); gnutls_certificate_free_credentials(x509_cred); gnutls_certificate_free_credentials(clicred); |