Fix some TLSv1.3 alert issues

Ensure that the certificate required alert actually gets sent (and doesn't get translated into handshake failure in TLSv1.3). Ensure that proper reason codes are given for the new TLSv1.3 alerts. Remove an out of date macro for TLS13_AD_END_OF_EARLY_DATA. This is a left over from an earlier TLSv1.3 draft that is no longer used. Fixes #6804 Reviewed-by: N Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6809)

Fix some TLSv1.3 alert issues
Ensure that the certificate required alert actually gets sent (and doesn't get translated into handshake failure in TLSv1.3). Ensure that proper reason codes are given for the new TLSv1.3 alerts. Remove an out of date macro for TLS13_AD_END_OF_EARLY_DATA. This is a left over from an earlier TLSv1.3 draft that is no longer used. Fixes #6804 Reviewed-by: N Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6809)
43a0f273 · Matt Caswell · 50db8163 · 43a0f273 · 43a0f273 · 43a0f273
10 changed file
--- a/crypto/err/openssl.ec
+++ b/crypto/err/openssl.ec
@@ -67,10 +67,12 @@ R SSL_R_TLSV1_ALERT_INTERNAL_ERROR              1080
 R SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK      1086
 R SSL_R_TLSV1_ALERT_USER_CANCELLED              1090
 R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION            1100
+R SSL_R_TLSV13_ALERT_MISSING_EXTENSION          1109
 R SSL_R_TLSV1_UNSUPPORTED_EXTENSION             1110
 R SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE          1111
 R SSL_R_TLSV1_UNRECOGNIZED_NAME                 1112
 R SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE   1113
 R SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE        1114
 R TLS1_AD_UNKNOWN_PSK_IDENTITY                  1115
+R SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED       1116
 R TLS1_AD_NO_APPLICATION_PROTOCOL               1120
--- a/include/openssl/sslerr.h
+++ b/include/openssl/sslerr.h
@@ -695,6 +695,8 @@ int ERR_load_SSL_strings(void);
 # define SSL_R_SSL_SESSION_ID_TOO_LONG                    408
 # define SSL_R_SSL_SESSION_VERSION_MISMATCH               210
 # define SSL_R_STILL_IN_INIT                              121
+# define SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED          1116
+# define SSL_R_TLSV13_ALERT_MISSING_EXTENSION             1109
 # define SSL_R_TLSV1_ALERT_ACCESS_DENIED                  1049
 # define SSL_R_TLSV1_ALERT_DECODE_ERROR                   1050
 # define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED              1021

--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -70,7 +70,6 @@ extern "C" {
 # define TLS1_AD_USER_CANCELLED          90
 # define TLS1_AD_NO_RENEGOTIATION        100
 /* TLSv1.3 alerts */
-# define TLS13_AD_END_OF_EARLY_DATA      1
 # define TLS13_AD_MISSING_EXTENSION      109 /* fatal */
 # define TLS13_AD_CERTIFICATE_REQUIRED   116 /* fatal */
 /* codes 110-114 are from RFC3546 */

--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -1137,6 +1137,10 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_VERSION_MISMATCH),
    "ssl session version mismatch"},
    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STILL_IN_INIT), "still in init"},
+    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED),
+    "tlsv13 alert certificate required"},
+    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV13_ALERT_MISSING_EXTENSION),
+    "tlsv13 alert missing extension"},
    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_ACCESS_DENIED),
    "tlsv1 alert access denied"},
    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECODE_ERROR),

--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -701,7 +701,8 @@ int tls13_update_key(SSL *s, int sending)

 int tls13_alert_code(int code)
 {
-    if (code == SSL_AD_MISSING_EXTENSION)
+    /* There are 2 additional alerts in TLSv1.3 compared to TLSv1.2 */
+    if (code == SSL_AD_MISSING_EXTENSION || code == SSL_AD_CERTIFICATE_REQUIRED)
        return code;

    return tls1_alert_code(code);

--- a/test/ssl-tests/04-client_auth.conf
+++ b/test/ssl-tests/04-client_auth.conf
@@ -108,7 +108,7 @@ VerifyMode = Peer

 [test-2]
 ExpectedResult = ServerFail
-ExpectedServerAlert = HandshakeFailure
+ExpectedServerAlert = CertificateRequired


 # ===========================================================

--- a/test/ssl-tests/04-client_auth.conf.in
+++ b/test/ssl-tests/04-client_auth.conf.in
@@ -101,7 +101,9 @@ sub generate_tests() {
                    },
                    test   => {
                        "ExpectedResult" => "ServerFail",
-                        "ExpectedServerAlert" => "HandshakeFailure",
+                        "ExpectedServerAlert" =>
+                        ($protocol_name eq "flex" && !disabled("tls1_3"))
+                        ? "CertificateRequired" : "HandshakeFailure",
                        "Method" => $method,
                    },
                };

--- a/test/ssl-tests/26-tls13_client_auth.conf
+++ b/test/ssl-tests/26-tls13_client_auth.conf
@@ -98,7 +98,7 @@ VerifyMode = Peer

 [test-2]
 ExpectedResult = ServerFail
-ExpectedServerAlert = HandshakeFailure
+ExpectedServerAlert = CertificateRequired


 # ===========================================================

--- a/test/ssl-tests/26-tls13_client_auth.conf.in
+++ b/test/ssl-tests/26-tls13_client_auth.conf.in
@@ -61,7 +61,7 @@ our @tests = (
        },
        test => {
            "ExpectedResult" => "ServerFail",
-            "ExpectedServerAlert" => "HandshakeFailure",
+            "ExpectedServerAlert" => "CertificateRequired",
        },
    },
    {

--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
@@ -126,6 +126,7 @@ static const test_enum ssl_alerts[] = {
    {"UnrecognizedName", SSL_AD_UNRECOGNIZED_NAME},
    {"BadCertificate", SSL_AD_BAD_CERTIFICATE},
    {"NoApplicationProtocol", SSL_AD_NO_APPLICATION_PROTOCOL},
+    {"CertificateRequired", SSL_AD_CERTIFICATE_REQUIRED},
 };

 __owur static int parse_alert(int *alert, const char *value)