[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Fri Mar 10 15:37:07 UTC 2017
The branch master has been updated
via 42c28b637c5ac9a288a0a6bde8f32622ba60e0a1 (commit)
from 717afd9337abb2ec8f4b59c7c700fe417e746346 (commit)
- Log -----------------------------------------------------------------
commit 42c28b637c5ac9a288a0a6bde8f32622ba60e0a1
Author: Matt Caswell <matt at openssl.org>
Date: Fri Mar 10 15:09:24 2017 +0000
Use the new TLSv1.3 certificate_required alert where appropriate
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2898)
-----------------------------------------------------------------------
Summary of changes:
include/openssl/ssl.h | 1 +
include/openssl/tls1.h | 1 +
ssl/s3_enc.c | 2 ++
ssl/statem/statem_srvr.c | 2 +-
ssl/t1_enc.c | 2 ++
5 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 9fbf3d1..488ce4f 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1029,6 +1029,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION
# define SSL_AD_END_OF_EARLY_DATA TLS13_AD_END_OF_EARLY_DATA
# define SSL_AD_MISSING_EXTENSION TLS13_AD_MISSING_EXTENSION
+# define SSL_AD_CERTIFICATE_REQUIRED TLS13_AD_CERTIFICATE_REQUIRED
# define SSL_AD_UNSUPPORTED_EXTENSION TLS1_AD_UNSUPPORTED_EXTENSION
# define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE
# define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 280d131..cf06f72 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -106,6 +106,7 @@ extern "C" {
/* TLSv1.3 alerts */
# define TLS13_AD_END_OF_EARLY_DATA 1
# define TLS13_AD_MISSING_EXTENSION 109 /* fatal */
+# define TLS13_AD_CERTIFICATE_REQUIRED 116 /* fatal */
/* codes 110-114 are from RFC3546 */
# define TLS1_AD_UNSUPPORTED_EXTENSION 110
# define TLS1_AD_CERTIFICATE_UNOBTAINABLE 111
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 1651357..88e74ed 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -591,6 +591,8 @@ int ssl3_alert_code(int code)
return (TLS1_AD_INAPPROPRIATE_FALLBACK);
case SSL_AD_NO_APPLICATION_PROTOCOL:
return (TLS1_AD_NO_APPLICATION_PROTOCOL);
+ case SSL_AD_CERTIFICATE_REQUIRED:
+ return SSL_AD_HANDSHAKE_FAILURE;
default:
return (-1);
}
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 6c007a1..2e381fd 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3280,7 +3280,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
- al = SSL_AD_HANDSHAKE_FAILURE;
+ al = SSL_AD_CERTIFICATE_REQUIRED;
goto f_err;
}
/* No client certificate so digest cached records */
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 2969b88..16db305 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -700,6 +700,8 @@ int tls1_alert_code(int code)
return (TLS1_AD_INAPPROPRIATE_FALLBACK);
case SSL_AD_NO_APPLICATION_PROTOCOL:
return (TLS1_AD_NO_APPLICATION_PROTOCOL);
+ case SSL_AD_CERTIFICATE_REQUIRED:
+ return SSL_AD_HANDSHAKE_FAILURE;
default:
return (-1);
}
More information about the openssl-commits
mailing list