fix: add S2N_ERR_ILLEGAL_PARAMETER error and alert mapping #5564
+8
−6
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Introduce a new error code S2N_ERR_ILLEGAL_PARAMETER to distinguish between unexpected message types (S2N_ERR_BAD_MESSAGE) and invalid message content. This improves TLS alert compliance by mapping the new error to S2N_TLS_ALERT_ILLEGAL_PARAMETER. Changes: - Add S2N_ERR_ILLEGAL_PARAMETER to error enum in s2n_errno.h - Add error description in s2n_errno.c - Map S2N_ERR_ILLEGAL_PARAMETER to S2N_TLS_ALERT_ILLEGAL_PARAMETER - Update comments to clarify error-to-alert mappings This resolves the TODO comment about incomplete alert mappings and provides a foundation for more precise error reporting throughout the codebase.
maddeleine
reviewed
Nov 6, 2025
Contributor
maddeleine
left a comment
maddeleine
left a comment
There was a problem hiding this comment.
This is incomplete. The problem is not only that we don't have an error for illegal parameter. It's that sometimes we emit S2N_ERR_BAD_MESSAGE in places that actually indicate S2N_TLS_ALERT_ILLEGAL_PARAMETER instead of S2N_TLS_ALERT_UNEXPECTED_MESSAGE. So the complete fix would be to go through our code and swap out S2N_ERR_BAD_MESSAGE for S2N_ERR_ILLEGAL_PARAMETER where it is more appropriate.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduce a new error code S2N_ERR_ILLEGAL_PARAMETER to distinguish between unexpected message types (S2N_ERR_BAD_MESSAGE) and invalid message content. This improves TLS alert compliance by mapping the new error to S2N_TLS_ALERT_ILLEGAL_PARAMETER.
Changes:
add S2N_ERR_ILLEGAL_PARAMETER to error enum in s2n_errno.h,add error description in s2n_errno.c,map S2N_ERR_ILLEGAL_PARAMETER to S2N_TLS_ALERT_ILLEGAL_PARAMETER
This resolves the TODO comment about incomplete alert mappings
Release Summary:
Introduces a new error code S2N_ERR_ILLEGAL_PARAMETER for TLS alert compliance by distinguishing b/w unexpected message types and invalid message content in accordance with RFC specifications
Resolved issues:
Partially addresses the TODO comments in tls/s2n_alerts.c regarding incomplete error-to-alert mappings.
Description of changes:
Describe s2n’s current behavior and how your code changes that behavior. If there are no issues this PR is resolving, explain why this change is necessary.
Call-outs:
Address any potentially confusing code. Is there code added that needs to be cleaned up later? Is there code that is missing because it’s still in development? If a callout is specific to a section of code, it might make more sense to leave a comment on your own PR file diff.
Testing:
Code compiles without syntax errors, verified error enum ordering is correct (added after S2N_ERR_BAD_MESSAGE in S2N_ERR_T_PROTO category)
Remember:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.