From 00c8b6a95ab83facc9230448b174f26a223e6a51 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Sat, 26 Jan 2019 21:44:28 +0100
Subject: Add GNUTLS_E_RECEIVED_DISALLOWED_NAME for illegal SNI names
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

An illegal/disallowed SNI server name previously generated
the misleading message "An illegal parameter has been received.".

This commit changes it to
  "A disallowed SNI server name has been received.".

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
---
 lib/alert.c                     | 1 +
 lib/errors.c                    | 6 ++++--
 lib/ext/server_name.c           | 8 ++++++--
 lib/includes/gnutls/gnutls.h.in | 1 +
 tests/cert_verify_inv_utf8.c    | 2 +-
 tests/mini-server-name.c        | 6 +++---
 tests/set_key_utf8.c            | 2 +-
 tests/set_x509_key_utf8.c       | 2 +-
 8 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/lib/alert.c b/lib/alert.c
index 15f5183430..a2d1725e6b 100644
--- a/lib/alert.c
+++ b/lib/alert.c
@@ -224,6 +224,7 @@ int gnutls_error_to_alert(int err, int *level)
 	case GNUTLS_E_ILLEGAL_SRP_USERNAME:
 	case GNUTLS_E_PK_INVALID_PUBKEY:
 	case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM:
+	case GNUTLS_E_RECEIVED_DISALLOWED_NAME:
 		ret = GNUTLS_A_ILLEGAL_PARAMETER;
 		_level = GNUTLS_AL_FATAL;
 		break;
diff --git a/lib/errors.c b/lib/errors.c
index a1bdf9b873..520958b70c 100644
--- a/lib/errors.c
+++ b/lib/errors.c
@@ -206,6 +206,8 @@ static const gnutls_error_entry error_entries[] = {
 	ERROR_ENTRY(N_("An illegal parameter was found."),
 		    GNUTLS_E_ILLEGAL_PARAMETER),
 	ERROR_ENTRY(N_("Error while reading file."), GNUTLS_E_FILE_ERROR),
+	ERROR_ENTRY(N_("A disallowed SNI server name has been received."),
+		    GNUTLS_E_RECEIVED_DISALLOWED_NAME),
 
 	ERROR_ENTRY(N_("ASN1 parser: Element was not found."),
 		    GNUTLS_E_ASN1_ELEMENT_NOT_FOUND),
@@ -462,14 +464,14 @@ static const gnutls_error_entry non_fatal_error_entries[] = {
  *
  * If a GnuTLS function returns a negative error code you may feed that
  * value to this function to see if the error condition is fatal to
- * a TLS session (i.e., must be terminated). 
+ * a TLS session (i.e., must be terminated).
  *
  * Note that you may also want to check the error code manually, since some
  * non-fatal errors to the protocol (such as a warning alert or
  * a rehandshake request) may be fatal for your program.
  *
  * This function is only useful if you are dealing with errors from
- * functions that relate to a TLS session (e.g., record layer or handshake 
+ * functions that relate to a TLS session (e.g., record layer or handshake
  * layer handling functions).
  *
  * Returns: Non-zero value on fatal errors or zero on non-fatal.
diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c
index 1f9f3814f1..9c8c533490 100644
--- a/lib/ext/server_name.c
+++ b/lib/ext/server_name.c
@@ -105,8 +105,12 @@ _gnutls_server_name_recv_params(gnutls_session_t session,
 			DECR_LEN(data_size, len);
 
 			if (type == 0) { /* NAME_DNS */
-				if (!_gnutls_dnsname_is_valid((char*)p, len))
-					return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+				if (!_gnutls_dnsname_is_valid((char*)p, len)) {
+					_gnutls_handshake_log
+					    ("HSK[%p]: Server name is not acceptable: '%.*s'\n",
+					     session, (int) len, p);
+					return gnutls_assert_val(GNUTLS_E_RECEIVED_DISALLOWED_NAME);
+				}
 
 				name.data = (void*)p;
 				name.size = len;
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 7e6a592447..9a4c98c0e8 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -3141,6 +3141,7 @@ void gnutls_fips140_set_mode(gnutls_fips_mode_t mode, unsigned flags);
 #define GNUTLS_E_TOO_MANY_EMPTY_PACKETS -78
 #define GNUTLS_E_UNKNOWN_PK_ALGORITHM -80
 #define GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS -81
+#define GNUTLS_E_RECEIVED_UNRECOGNIZED_NAME -82	/* GNUTLS_A_ILLEGAL_PARAMETER */
 
   /* returned if you need to generate temporary RSA
    * parameters. These are needed for export cipher suites.
diff --git a/tests/cert_verify_inv_utf8.c b/tests/cert_verify_inv_utf8.c
index 4afd52311d..095a55f3df 100644
--- a/tests/cert_verify_inv_utf8.c
+++ b/tests/cert_verify_inv_utf8.c
@@ -137,7 +137,7 @@ static void auto_parse(void)
 	test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", 0, 0);
 	test_cli_serv_vf(x509_cred, clicred, "NORMAL", "www.νίκοσ.com");
 	test_cli_serv_vf(x509_cred, clicred, "NORMAL", "www.νίκος.com");
-	test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:www.νίκος.com", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, GNUTLS_E_AGAIN);
+	test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:www.νίκος.com", GNUTLS_E_RECEIVED_DISALLOWED_NAME, GNUTLS_E_AGAIN);
 
 	gnutls_certificate_free_credentials(x509_cred);
 	gnutls_certificate_free_credentials(clicred);
diff --git a/tests/mini-server-name.c b/tests/mini-server-name.c
index 0da27cc3e1..e18dcfc150 100644
--- a/tests/mini-server-name.c
+++ b/tests/mini-server-name.c
@@ -310,21 +310,21 @@ void doit(void)
 	start("tls1.2 test.example.com", PRIO_TLS12, 0, "test.example.com", strlen("test.example.com"), "test.example.com", strlen("test.example.com"), 0);
 	start("tls1.2 longtest.example.com", PRIO_TLS12, 0, "longtest.example.com.", strlen("longtest.example.com"), "longtest.example.com.", strlen("longtest.example.com"), 0);
 	/* test embedded NULL */
-	start("tls1.2 embedded-NULL", PRIO_TLS12, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+	start("tls1.2 embedded-NULL", PRIO_TLS12, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_DISALLOWED_NAME);
 
 	start("tls1.3 NULL", PRIO_TLS13, 0, NULL, 0, NULL, 0, 0);
 	start("tls1.3 empty", PRIO_TLS13, 0, "", 0, "", 0, 0);
 	start("tls1.3 test.example.com", PRIO_TLS13, 0, "test.example.com", strlen("test.example.com"), "test.example.com", strlen("test.example.com"), 0);
 	start("tls1.3 longtest.example.com", PRIO_TLS13, 0, "longtest.example.com.", strlen("longtest.example.com"), "longtest.example.com.", strlen("longtest.example.com"), 0);
 	/* test embedded NULL */
-	start("tls1.3 embedded-NULL", PRIO_TLS13, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+	start("tls1.3 embedded-NULL", PRIO_TLS13, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_DISALLOWED_NAME);
 
 	start("NULL", PRIO_NORMAL, 0, NULL, 0, NULL, 0, 0);
 	start("empty", PRIO_NORMAL, 0, "", 0, "", 0, 0);
 	start("test.example.com", PRIO_NORMAL, 0, "test.example.com", strlen("test.example.com"), "test.example.com", strlen("test.example.com"), 0);
 	start("longtest.example.com", PRIO_NORMAL, 0, "longtest.example.com.", strlen("longtest.example.com"), "longtest.example.com.", strlen("longtest.example.com"), 0);
 	/* test embedded NULL */
-	start("embedded-NULL", PRIO_NORMAL, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+	start("embedded-NULL", PRIO_NORMAL, 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_DISALLOWED_NAME);
 }
 
 #endif				/* _WIN32 */
diff --git a/tests/set_key_utf8.c b/tests/set_key_utf8.c
index 7a02e45618..81d5ef2c05 100644
--- a/tests/set_key_utf8.c
+++ b/tests/set_key_utf8.c
@@ -140,7 +140,7 @@ static void auto_parse(void)
 
 	/* the raw DNS should result to verification failure as the advertized name should
 	 * not be considered and the first cert should be provided */
-	test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, GNUTLS_E_AGAIN);
+	test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_DISALLOWED_NAME, GNUTLS_E_AGAIN);
 
 	gnutls_certificate_free_credentials(x509_cred);
 	gnutls_certificate_free_credentials(clicred);
diff --git a/tests/set_x509_key_utf8.c b/tests/set_x509_key_utf8.c
index 7cc5b99ea8..7753c7f4c9 100644
--- a/tests/set_x509_key_utf8.c
+++ b/tests/set_x509_key_utf8.c
@@ -177,7 +177,7 @@ void doit(void)
 	test_cli_serv(x509_cred, clicred, "NORMAL", "简体中文.εξτρα.com", NULL, NULL, NULL); /* the second DNS name of cert */
 	test_cli_serv(x509_cred, clicred, "NORMAL", "xn--fiqu1az03c18t.xn--mxah1amo.com", NULL, NULL, NULL); /* its IDNA equivalent */
 
-	test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, GNUTLS_E_AGAIN);
+	test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_DISALLOWED_NAME, GNUTLS_E_AGAIN);
 
 	gnutls_certificate_free_credentials(x509_cred);
 	gnutls_certificate_free_credentials(clicred);
-- 
cgit v1.2.1