From 42c28b637c5ac9a288a0a6bde8f32622ba60e0a1 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 10 Mar 2017 15:09:24 +0000 Subject: [PATCH] Use the new TLSv1.3 certificate_required alert where appropriate Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2898) --- include/openssl/ssl.h | 1 + include/openssl/tls1.h | 1 + ssl/s3_enc.c | 2 ++ ssl/statem/statem_srvr.c | 2 +- ssl/t1_enc.c | 2 ++ 5 files changed, 7 insertions(+), 1 deletion(-) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 9fbf3d1b11..488ce4f39c 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1029,6 +1029,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION # define SSL_AD_END_OF_EARLY_DATA TLS13_AD_END_OF_EARLY_DATA # define SSL_AD_MISSING_EXTENSION TLS13_AD_MISSING_EXTENSION +# define SSL_AD_CERTIFICATE_REQUIRED TLS13_AD_CERTIFICATE_REQUIRED # define SSL_AD_UNSUPPORTED_EXTENSION TLS1_AD_UNSUPPORTED_EXTENSION # define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE # define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 280d131c6f..cf06f72748 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -106,6 +106,7 @@ extern "C" { /* TLSv1.3 alerts */ # define TLS13_AD_END_OF_EARLY_DATA 1 # define TLS13_AD_MISSING_EXTENSION 109 /* fatal */ +# define TLS13_AD_CERTIFICATE_REQUIRED 116 /* fatal */ /* codes 110-114 are from RFC3546 */ # define TLS1_AD_UNSUPPORTED_EXTENSION 110 # define TLS1_AD_CERTIFICATE_UNOBTAINABLE 111 diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 165135707a..88e74edf2b 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -591,6 +591,8 @@ int ssl3_alert_code(int code) return (TLS1_AD_INAPPROPRIATE_FALLBACK); case SSL_AD_NO_APPLICATION_PROTOCOL: return (TLS1_AD_NO_APPLICATION_PROTOCOL); + case SSL_AD_CERTIFICATE_REQUIRED: + return SSL_AD_HANDSHAKE_FAILURE; default: return (-1); } diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 6c007a1302..2e381fdd02 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3280,7 +3280,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); - al = SSL_AD_HANDSHAKE_FAILURE; + al = SSL_AD_CERTIFICATE_REQUIRED; goto f_err; } /* No client certificate so digest cached records */ diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 2969b88c80..16db3054c6 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -700,6 +700,8 @@ int tls1_alert_code(int code) return (TLS1_AD_INAPPROPRIATE_FALLBACK); case SSL_AD_NO_APPLICATION_PROTOCOL: return (TLS1_AD_NO_APPLICATION_PROTOCOL); + case SSL_AD_CERTIFICATE_REQUIRED: + return SSL_AD_HANDSHAKE_FAILURE; default: return (-1); } -- 2.25.1