Fix TLS alert codes
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
diff --git a/ChangeLog.d/fix_tls_alert_codes.txt b/ChangeLog.d/fix_tls_alert_codes.txt
new file mode 100644
index 0000000..abe3a5e
--- /dev/null
+++ b/ChangeLog.d/fix_tls_alert_codes.txt
@@ -0,0 +1,6 @@
+Bugfix
+ * Fix the alert raised when a client requests an invalid
+ * fragment length, as per RFC6066 section 4. We now alert with
+ * MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER. Similarly, raise
+ * MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR for an invalid finished
+ * message, as per RFC5247 section 7.2.2.
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 073311b..7fedf17 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1318,7 +1318,7 @@
mbedtls_ssl_send_alert_message(
ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 1a0794a..3c1e917 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6684,7 +6684,7 @@
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
}