提交 42c28b63 编写于 作者: M Matt Caswell

Use the new TLSv1.3 certificate_required alert where appropriate

Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2898)
上级 717afd93
......@@ -1029,6 +1029,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION
# define SSL_AD_END_OF_EARLY_DATA TLS13_AD_END_OF_EARLY_DATA
# define SSL_AD_MISSING_EXTENSION TLS13_AD_MISSING_EXTENSION
# define SSL_AD_CERTIFICATE_REQUIRED TLS13_AD_CERTIFICATE_REQUIRED
# define SSL_AD_UNSUPPORTED_EXTENSION TLS1_AD_UNSUPPORTED_EXTENSION
# define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE
# define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME
......
......@@ -106,6 +106,7 @@ extern "C" {
/* TLSv1.3 alerts */
# define TLS13_AD_END_OF_EARLY_DATA 1
# define TLS13_AD_MISSING_EXTENSION 109 /* fatal */
# define TLS13_AD_CERTIFICATE_REQUIRED 116 /* fatal */
/* codes 110-114 are from RFC3546 */
# define TLS1_AD_UNSUPPORTED_EXTENSION 110
# define TLS1_AD_CERTIFICATE_UNOBTAINABLE 111
......
......@@ -591,6 +591,8 @@ int ssl3_alert_code(int code)
return (TLS1_AD_INAPPROPRIATE_FALLBACK);
case SSL_AD_NO_APPLICATION_PROTOCOL:
return (TLS1_AD_NO_APPLICATION_PROTOCOL);
case SSL_AD_CERTIFICATE_REQUIRED:
return SSL_AD_HANDSHAKE_FAILURE;
default:
return (-1);
}
......
......@@ -3280,7 +3280,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
al = SSL_AD_HANDSHAKE_FAILURE;
al = SSL_AD_CERTIFICATE_REQUIRED;
goto f_err;
}
/* No client certificate so digest cached records */
......
......@@ -700,6 +700,8 @@ int tls1_alert_code(int code)
return (TLS1_AD_INAPPROPRIATE_FALLBACK);
case SSL_AD_NO_APPLICATION_PROTOCOL:
return (TLS1_AD_NO_APPLICATION_PROTOCOL);
case SSL_AD_CERTIFICATE_REQUIRED:
return SSL_AD_HANDSHAKE_FAILURE;
default:
return (-1);
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册