diff options
| author | robot-contrib <robot-contrib@yandex-team.com> | 2022-10-19 19:34:47 +0300 |
|---|---|---|
| committer | robot-contrib <robot-contrib@yandex-team.com> | 2022-10-19 19:34:47 +0300 |
| commit | a42f7e7e0064e0d5bc54bde4506539d4766e1356 (patch) | |
| tree | 348bb42084aed2b557684fbe188656938ab1a492 /contrib/restricted/aws/s2n/tls/s2n_alerts.c | |
| parent | cd66afc0fd1f9359cdf239e4a4f3a345b174e00e (diff) | |
| download | ydb-a42f7e7e0064e0d5bc54bde4506539d4766e1356.tar.gz | |
Update contrib/restricted/aws/s2n to 1.3.24
Diffstat (limited to 'contrib/restricted/aws/s2n/tls/s2n_alerts.c')
| -rw-r--r-- | contrib/restricted/aws/s2n/tls/s2n_alerts.c | 32 |
1 files changed, 30 insertions, 2 deletions
diff --git a/contrib/restricted/aws/s2n/tls/s2n_alerts.c b/contrib/restricted/aws/s2n/tls/s2n_alerts.c index 51f13b416f..5ecf10b47d 100644 --- a/contrib/restricted/aws/s2n/tls/s2n_alerts.c +++ b/contrib/restricted/aws/s2n/tls/s2n_alerts.c @@ -54,6 +54,14 @@ static S2N_RESULT s2n_translate_protocol_error_to_alert(int error_code, uint8_t */ S2N_ALERT_CASE(S2N_ERR_BAD_MESSAGE, S2N_TLS_ALERT_UNEXPECTED_MESSAGE); + /* For errors involving secure renegotiation: + *= https://tools.ietf.org/rfc/rfc5746#3.4 + *# Note: later in Section 3, "abort the handshake" is used as + *# shorthand for "send a fatal handshake_failure alert and + *# terminate the connection". + */ + S2N_ALERT_CASE(S2N_ERR_NO_RENEGOTIATION, S2N_TLS_ALERT_HANDSHAKE_FAILURE); + /* TODO: Add mappings for other protocol errors. */ S2N_NO_ALERT(S2N_ERR_ENCRYPT); @@ -128,7 +136,7 @@ static bool s2n_alerts_supported(struct s2n_connection *conn) return !s2n_connection_is_quic_enabled(conn); } -static bool s2n_handle_as_warning(struct s2n_connection *conn, uint8_t level, uint8_t type) +static bool s2n_process_as_warning(struct s2n_connection *conn, uint8_t level, uint8_t type) { /* Only TLS1.2 considers the alert level. The alert level field is * considered deprecated in TLS1.3. */ @@ -143,6 +151,20 @@ static bool s2n_handle_as_warning(struct s2n_connection *conn, uint8_t level, ui return type == S2N_TLS_ALERT_USER_CANCELED; } +S2N_RESULT s2n_alerts_close_if_fatal(struct s2n_connection *conn, struct s2n_blob *alert) +{ + RESULT_ENSURE_REF(conn); + RESULT_ENSURE_REF(alert); + RESULT_ENSURE_EQ(alert->size, S2N_ALERT_LENGTH); + /* Only one alert should currently be treated as a warning */ + if (alert->data[1] == S2N_TLS_ALERT_NO_RENEGOTIATION) { + RESULT_ENSURE_EQ(alert->data[0], S2N_TLS_ALERT_LEVEL_WARNING); + return S2N_RESULT_OK; + } + conn->closing = true; + return S2N_RESULT_OK; +} + int s2n_error_get_alert(int error, uint8_t *alert) { int error_type = s2n_error_get_type(error); @@ -198,7 +220,7 @@ int s2n_process_alert_fragment(struct s2n_connection *conn) } /* Ignore warning-level alerts if we're in warning-tolerant mode */ - if (s2n_handle_as_warning(conn, conn->alert_in_data[0], conn->alert_in_data[1])) { + if (s2n_process_as_warning(conn, conn->alert_in_data[0], conn->alert_in_data[1])) { POSIX_GUARD(s2n_stuffer_wipe(&conn->alert_in)); return 0; } @@ -275,3 +297,9 @@ int s2n_queue_reader_handshake_failure_alert(struct s2n_connection *conn) { return s2n_queue_reader_alert(conn, S2N_TLS_ALERT_LEVEL_FATAL, S2N_TLS_ALERT_HANDSHAKE_FAILURE); } + +S2N_RESULT s2n_queue_reader_no_renegotiation_alert(struct s2n_connection *conn) +{ + RESULT_GUARD_POSIX(s2n_queue_reader_alert(conn, S2N_TLS_ALERT_LEVEL_WARNING, S2N_TLS_ALERT_NO_RENEGOTIATION)); + return S2N_RESULT_OK; +} |