Commit 42c28b63 authored by Matt Caswell's avatar Matt Caswell
Browse files

Use the new TLSv1.3 certificate_required alert where appropriate 



Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2898)
parent 717afd93

include/openssl/ssl.h

+1 −0
Original line number Diff line number Diff line
@@ -1029,6 +1029,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) 
# define SSL_AD_NO_RENEGOTIATION         TLS1_AD_NO_RENEGOTIATION

# define SSL_AD_END_OF_EARLY_DATA        TLS13_AD_END_OF_EARLY_DATA

# define SSL_AD_MISSING_EXTENSION        TLS13_AD_MISSING_EXTENSION

# define SSL_AD_CERTIFICATE_REQUIRED     TLS13_AD_CERTIFICATE_REQUIRED

# define SSL_AD_UNSUPPORTED_EXTENSION    TLS1_AD_UNSUPPORTED_EXTENSION

# define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE

# define SSL_AD_UNRECOGNIZED_NAME        TLS1_AD_UNRECOGNIZED_NAME

include/openssl/tls1.h

+1 −0
Original line number Diff line number Diff line
@@ -106,6 +106,7 @@ extern "C" { 
/* TLSv1.3 alerts */

# define TLS13_AD_END_OF_EARLY_DATA      1

# define TLS13_AD_MISSING_EXTENSION      109 /* fatal */

# define TLS13_AD_CERTIFICATE_REQUIRED   116 /* fatal */

/* codes 110-114 are from RFC3546 */

# define TLS1_AD_UNSUPPORTED_EXTENSION   110

# define TLS1_AD_CERTIFICATE_UNOBTAINABLE 111

ssl/s3_enc.c

+2 −0
Original line number Diff line number Diff line
@@ -591,6 +591,8 @@ int ssl3_alert_code(int code) 
        return (TLS1_AD_INAPPROPRIATE_FALLBACK);

    case SSL_AD_NO_APPLICATION_PROTOCOL:

        return (TLS1_AD_NO_APPLICATION_PROTOCOL);

    case SSL_AD_CERTIFICATE_REQUIRED:

        return SSL_AD_HANDSHAKE_FAILURE;

    default:

        return (-1);

    }

ssl/statem/statem_srvr.c

+1 −1
Original line number Diff line number Diff line
@@ -3280,7 +3280,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) 
                 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {

            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,

                   SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);

            al = SSL_AD_HANDSHAKE_FAILURE;

            al = SSL_AD_CERTIFICATE_REQUIRED;

            goto f_err;

        }

        /* No client certificate so digest cached records */

ssl/t1_enc.c

+2 −0
Original line number Diff line number Diff line
@@ -700,6 +700,8 @@ int tls1_alert_code(int code) 
        return (TLS1_AD_INAPPROPRIATE_FALLBACK);

    case SSL_AD_NO_APPLICATION_PROTOCOL:

        return (TLS1_AD_NO_APPLICATION_PROTOCOL);

    case SSL_AD_CERTIFICATE_REQUIRED:

        return SSL_AD_HANDSHAKE_FAILURE;

    default:

        return (-1);

    }