diff options
-rw-r--r-- | crypto/err/openssl.ec | 2 | ||||
-rw-r--r-- | include/openssl/sslerr.h | 2 | ||||
-rw-r--r-- | include/openssl/tls1.h | 1 | ||||
-rw-r--r-- | ssl/ssl_err.c | 4 | ||||
-rw-r--r-- | ssl/tls13_enc.c | 3 | ||||
-rw-r--r-- | test/ssl-tests/04-client_auth.conf | 2 | ||||
-rw-r--r-- | test/ssl-tests/04-client_auth.conf.in | 4 | ||||
-rw-r--r-- | test/ssl-tests/26-tls13_client_auth.conf | 2 | ||||
-rw-r--r-- | test/ssl-tests/26-tls13_client_auth.conf.in | 2 | ||||
-rw-r--r-- | test/ssl_test_ctx.c | 1 |
10 files changed, 17 insertions, 6 deletions
diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec index 7fc5788434..3e092eae0a 100644 --- a/crypto/err/openssl.ec +++ b/crypto/err/openssl.ec @@ -67,10 +67,12 @@ R SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 R SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086 R SSL_R_TLSV1_ALERT_USER_CANCELLED 1090 R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 +R SSL_R_TLSV13_ALERT_MISSING_EXTENSION 1109 R SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 R SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111 R SSL_R_TLSV1_UNRECOGNIZED_NAME 1112 R SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113 R SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114 R TLS1_AD_UNKNOWN_PSK_IDENTITY 1115 +R SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED 1116 R TLS1_AD_NO_APPLICATION_PROTOCOL 1120 diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index a5b2c55942..87b295c9f9 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -695,6 +695,8 @@ int ERR_load_SSL_strings(void); # define SSL_R_SSL_SESSION_ID_TOO_LONG 408 # define SSL_R_SSL_SESSION_VERSION_MISMATCH 210 # define SSL_R_STILL_IN_INIT 121 +# define SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED 1116 +# define SSL_R_TLSV13_ALERT_MISSING_EXTENSION 1109 # define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 # define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 # define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 37bdc7da43..761a86a752 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -70,7 +70,6 @@ extern "C" { # define TLS1_AD_USER_CANCELLED 90 # define TLS1_AD_NO_RENEGOTIATION 100 /* TLSv1.3 alerts */ -# define TLS13_AD_END_OF_EARLY_DATA 1 # define TLS13_AD_MISSING_EXTENSION 109 /* fatal */ # define TLS13_AD_CERTIFICATE_REQUIRED 116 /* fatal */ /* codes 110-114 are from RFC3546 */ diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index d3e805636f..11331ce41f 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -1137,6 +1137,10 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_VERSION_MISMATCH), "ssl session version mismatch"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STILL_IN_INIT), "still in init"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED), + "tlsv13 alert certificate required"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV13_ALERT_MISSING_EXTENSION), + "tlsv13 alert missing extension"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_ACCESS_DENIED), "tlsv1 alert access denied"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECODE_ERROR), diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 264381bd00..48990fd65c 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -701,7 +701,8 @@ int tls13_update_key(SSL *s, int sending) int tls13_alert_code(int code) { - if (code == SSL_AD_MISSING_EXTENSION) + /* There are 2 additional alerts in TLSv1.3 compared to TLSv1.2 */ + if (code == SSL_AD_MISSING_EXTENSION || code == SSL_AD_CERTIFICATE_REQUIRED) return code; return tls1_alert_code(code); diff --git a/test/ssl-tests/04-client_auth.conf b/test/ssl-tests/04-client_auth.conf index 5696394c1b..8debb66fd0 100644 --- a/test/ssl-tests/04-client_auth.conf +++ b/test/ssl-tests/04-client_auth.conf @@ -108,7 +108,7 @@ VerifyMode = Peer [test-2] ExpectedResult = ServerFail -ExpectedServerAlert = HandshakeFailure +ExpectedServerAlert = CertificateRequired # =========================================================== diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in index a780e00699..b9c014d2c0 100644 --- a/test/ssl-tests/04-client_auth.conf.in +++ b/test/ssl-tests/04-client_auth.conf.in @@ -101,7 +101,9 @@ sub generate_tests() { }, test => { "ExpectedResult" => "ServerFail", - "ExpectedServerAlert" => "HandshakeFailure", + "ExpectedServerAlert" => + ($protocol_name eq "flex" && !disabled("tls1_3")) + ? "CertificateRequired" : "HandshakeFailure", "Method" => $method, }, }; diff --git a/test/ssl-tests/26-tls13_client_auth.conf b/test/ssl-tests/26-tls13_client_auth.conf index f769b1238d..55361dde73 100644 --- a/test/ssl-tests/26-tls13_client_auth.conf +++ b/test/ssl-tests/26-tls13_client_auth.conf @@ -98,7 +98,7 @@ VerifyMode = Peer [test-2] ExpectedResult = ServerFail -ExpectedServerAlert = HandshakeFailure +ExpectedServerAlert = CertificateRequired # =========================================================== diff --git a/test/ssl-tests/26-tls13_client_auth.conf.in b/test/ssl-tests/26-tls13_client_auth.conf.in index 6da41686fd..e53cda2304 100644 --- a/test/ssl-tests/26-tls13_client_auth.conf.in +++ b/test/ssl-tests/26-tls13_client_auth.conf.in @@ -61,7 +61,7 @@ our @tests = ( }, test => { "ExpectedResult" => "ServerFail", - "ExpectedServerAlert" => "HandshakeFailure", + "ExpectedServerAlert" => "CertificateRequired", }, }, { diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c index 5b427e53e7..cb4b8606e2 100644 --- a/test/ssl_test_ctx.c +++ b/test/ssl_test_ctx.c @@ -126,6 +126,7 @@ static const test_enum ssl_alerts[] = { {"UnrecognizedName", SSL_AD_UNRECOGNIZED_NAME}, {"BadCertificate", SSL_AD_BAD_CERTIFICATE}, {"NoApplicationProtocol", SSL_AD_NO_APPLICATION_PROTOCOL}, + {"CertificateRequired", SSL_AD_CERTIFICATE_REQUIRED}, }; __owur static int parse_alert(int *alert, const char *value) |