int
tls_handshake_close(tls_handshake_t filter)
{
int err = errSSLSuccess;
assert(filter);
err = SSLSendAlert(SSL_AlertLevelWarning, SSL_AlertCloseNotify, filter);
SSLChangeHdskState(filter, SSL_HdskStateGracefulClose);
return err;
}
OSStatus
SSLFatalSessionAlert(AlertDescription desc, SSLContext *ctx)
{ OSStatus err1, err2;
if(desc != SSL_AlertCloseNotify) {
sslHdskMsgDebug("SSLFatalSessionAlert: desc %d\n", desc);
}
SSLChangeHdskState(ctx, SSL_HdskStateErrorClose);
if(ctx->negProtocolVersion < TLS_Version_1_0) {
/* translate to SSL3 if necessary */
switch(desc) {
//case SSL_AlertDecryptionFail_RESERVED:
case SSL_AlertRecordOverflow:
case SSL_AlertAccessDenied:
case SSL_AlertDecodeError:
case SSL_AlertDecryptError:
//case SSL_AlertExportRestriction_RESERVED:
case SSL_AlertProtocolVersion:
case SSL_AlertInsufficientSecurity:
case SSL_AlertUserCancelled:
case SSL_AlertNoRenegotiation:
desc = SSL_AlertHandshakeFail;
break;
case SSL_AlertUnknownCA:
desc = SSL_AlertUnsupportedCert;
break;
case SSL_AlertInternalError:
desc = SSL_AlertCloseNotify;
break;
default:
/* send as is */
break;
}
}
/* Make session unresumable; I'm not stopping if I get an error,
because I'd like to attempt to send the alert anyway */
err1 = SSLDeleteSessionData(ctx);
/* Second, send the alert */
err2 = SSLSendAlert(SSL_AlertLevelFatal, desc, ctx);
ctx->sentFatalAlert = true;
/* If they both returned errors, arbitrarily return the first */
return err1 != 0 ? err1 : err2;
}
