diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec index 7fc5788434c13410f037b3ad125b415c7d98f19c..3e092eae0a2b879627579734666c845cd50a9434 100644 --- a/crypto/err/openssl.ec +++ b/crypto/err/openssl.ec @@ -67,10 +67,12 @@ R SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 R SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086 R SSL_R_TLSV1_ALERT_USER_CANCELLED 1090 R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 +R SSL_R_TLSV13_ALERT_MISSING_EXTENSION 1109 R SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 R SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111 R SSL_R_TLSV1_UNRECOGNIZED_NAME 1112 R SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113 R SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114 R TLS1_AD_UNKNOWN_PSK_IDENTITY 1115 +R SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED 1116 R TLS1_AD_NO_APPLICATION_PROTOCOL 1120 diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index a5b2c5594219265041eadc287255fdbfa3321b4b..87b295c9f93bfecddb6b7051d1d765082622d83c 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -695,6 +695,8 @@ int ERR_load_SSL_strings(void); # define SSL_R_SSL_SESSION_ID_TOO_LONG 408 # define SSL_R_SSL_SESSION_VERSION_MISMATCH 210 # define SSL_R_STILL_IN_INIT 121 +# define SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED 1116 +# define SSL_R_TLSV13_ALERT_MISSING_EXTENSION 1109 # define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 # define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 # define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 37bdc7da435ef5124035618afd4a894d8b2949d7..761a86a752d6ba6d8707d5b5ca12148c5b23b65a 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -70,7 +70,6 @@ extern "C" { # define TLS1_AD_USER_CANCELLED 90 # define TLS1_AD_NO_RENEGOTIATION 100 /* TLSv1.3 alerts */ -# define TLS13_AD_END_OF_EARLY_DATA 1 # define TLS13_AD_MISSING_EXTENSION 109 /* fatal */ # define TLS13_AD_CERTIFICATE_REQUIRED 116 /* fatal */ /* codes 110-114 are from RFC3546 */ diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index d3e805636fd456827179464372bf8a11c461dbdf..11331ce41fd3e640652b01bfbc379085395c5ecd 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -1137,6 +1137,10 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_VERSION_MISMATCH), "ssl session version mismatch"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STILL_IN_INIT), "still in init"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED), + "tlsv13 alert certificate required"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV13_ALERT_MISSING_EXTENSION), + "tlsv13 alert missing extension"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_ACCESS_DENIED), "tlsv1 alert access denied"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECODE_ERROR), diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 264381bd00831fde55ed5fb547500afe642f9948..48990fd65c3bb77f2a47b8514eacd5768e6ef0a4 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -701,7 +701,8 @@ int tls13_update_key(SSL *s, int sending) int tls13_alert_code(int code) { - if (code == SSL_AD_MISSING_EXTENSION) + /* There are 2 additional alerts in TLSv1.3 compared to TLSv1.2 */ + if (code == SSL_AD_MISSING_EXTENSION || code == SSL_AD_CERTIFICATE_REQUIRED) return code; return tls1_alert_code(code); diff --git a/test/ssl-tests/04-client_auth.conf b/test/ssl-tests/04-client_auth.conf index 5696394c1b51f16464cc95a3b9e280d3818165bf..8debb66fd089470f20e7295507b4bb6259be56d6 100644 --- a/test/ssl-tests/04-client_auth.conf +++ b/test/ssl-tests/04-client_auth.conf @@ -108,7 +108,7 @@ VerifyMode = Peer [test-2] ExpectedResult = ServerFail -ExpectedServerAlert = HandshakeFailure +ExpectedServerAlert = CertificateRequired # =========================================================== diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in index a780e0069939ccee6da412b01ea1a2db65c332e1..b9c014d2c0d9f2135362ea1797543804af90e34e 100644 --- a/test/ssl-tests/04-client_auth.conf.in +++ b/test/ssl-tests/04-client_auth.conf.in @@ -101,7 +101,9 @@ sub generate_tests() { }, test => { "ExpectedResult" => "ServerFail", - "ExpectedServerAlert" => "HandshakeFailure", + "ExpectedServerAlert" => + ($protocol_name eq "flex" && !disabled("tls1_3")) + ? "CertificateRequired" : "HandshakeFailure", "Method" => $method, }, }; diff --git a/test/ssl-tests/26-tls13_client_auth.conf b/test/ssl-tests/26-tls13_client_auth.conf index f769b1238ddca3064096eb702807cb60ff190a2f..55361dde73dbf708426a15854604f0535d8572ec 100644 --- a/test/ssl-tests/26-tls13_client_auth.conf +++ b/test/ssl-tests/26-tls13_client_auth.conf @@ -98,7 +98,7 @@ VerifyMode = Peer [test-2] ExpectedResult = ServerFail -ExpectedServerAlert = HandshakeFailure +ExpectedServerAlert = CertificateRequired # =========================================================== diff --git a/test/ssl-tests/26-tls13_client_auth.conf.in b/test/ssl-tests/26-tls13_client_auth.conf.in index 6da41686fdb4fa0273a9f7b84b7e5b360ba4ec4d..e53cda2304e4fb80212eff9a0c8ad2dbcffcbfee 100644 --- a/test/ssl-tests/26-tls13_client_auth.conf.in +++ b/test/ssl-tests/26-tls13_client_auth.conf.in @@ -61,7 +61,7 @@ our @tests = ( }, test => { "ExpectedResult" => "ServerFail", - "ExpectedServerAlert" => "HandshakeFailure", + "ExpectedServerAlert" => "CertificateRequired", }, }, { diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c index 5b427e53e725e6285492d1d2cb6a7ef8ae1041b9..cb4b8606e2accf44404a32b131f1bf09132d79fe 100644 --- a/test/ssl_test_ctx.c +++ b/test/ssl_test_ctx.c @@ -126,6 +126,7 @@ static const test_enum ssl_alerts[] = { {"UnrecognizedName", SSL_AD_UNRECOGNIZED_NAME}, {"BadCertificate", SSL_AD_BAD_CERTIFICATE}, {"NoApplicationProtocol", SSL_AD_NO_APPLICATION_PROTOCOL}, + {"CertificateRequired", SSL_AD_CERTIFICATE_REQUIRED}, }; __owur static int parse_alert(int *alert, const char *value)