sing-box/common/ktls/ktls_alert.go

// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

//go:build linux && go1.25 && !without_badtls

package ktls

import (
	"crypto/tls"
	"net"
)

const (
	// alert level
	alertLevelWarning = 1
	alertLevelError   = 2
)

const (
	alertCloseNotify                  = 0
	alertUnexpectedMessage            = 10
	alertBadRecordMAC                 = 20
	alertDecryptionFailed             = 21
	alertRecordOverflow               = 22
	alertDecompressionFailure         = 30
	alertHandshakeFailure             = 40
	alertBadCertificate               = 42
	alertUnsupportedCertificate       = 43
	alertCertificateRevoked           = 44
	alertCertificateExpired           = 45
	alertCertificateUnknown           = 46
	alertIllegalParameter             = 47
	alertUnknownCA                    = 48
	alertAccessDenied                 = 49
	alertDecodeError                  = 50
	alertDecryptError                 = 51
	alertExportRestriction            = 60
	alertProtocolVersion              = 70
	alertInsufficientSecurity         = 71
	alertInternalError                = 80
	alertInappropriateFallback        = 86
	alertUserCanceled                 = 90
	alertNoRenegotiation              = 100
	alertMissingExtension             = 109
	alertUnsupportedExtension         = 110
	alertCertificateUnobtainable      = 111
	alertUnrecognizedName             = 112
	alertBadCertificateStatusResponse = 113
	alertBadCertificateHashValue      = 114
	alertUnknownPSKIdentity           = 115
	alertCertificateRequired          = 116
	alertNoApplicationProtocol        = 120
	alertECHRequired                  = 121
)

func (c *Conn) sendAlertLocked(err uint8) error {
	switch err {
	case alertNoRenegotiation, alertCloseNotify:
		c.tmp[0] = alertLevelWarning
	default:
		c.tmp[0] = alertLevelError
	}
	c.tmp[1] = byte(err)

	_, writeErr := c.writeRecordLocked(recordTypeAlert, c.tmp[0:2])
	if err == alertCloseNotify {
		// closeNotify is a special case in that it isn't an error.
		return writeErr
	}

	return c.rawConn.Out.SetErrorLocked(&net.OpError{Op: "local error", Err: tls.AlertError(err)})
}

// sendAlert sends a TLS alert message.
func (c *Conn) sendAlert(err uint8) error {
	c.rawConn.Out.Lock()
	defer c.rawConn.Out.Unlock()
	return c.sendAlertLocked(err)
}