Project homepage Mailing List  Warmcat.com  API Docs  Github Mirror 
{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1752651764, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"28c9f5ee6bb61a94239c36f5b4b81d8c", "commit": {"type":"commit", "time": 1533025910, "time_ofs": 60, "oid_tree": { "oid": "f306c49491086a35ac38767945b1a026006191ce", "alias": []}, "oid":{ "oid": "43a0f2733a943799060ea275516fcce00d89eb38", "alias": []}, "msg": "Fix some TLSv1.3 alert issues", "sig_commit": { "git_time": { "time": 1533025910, "offset": 60 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }, "sig_author": { "git_time": { "time": 1532938394, "offset": 60 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }}, "body": "Fix some TLSv1.3 alert issues\n\nEnsure that the certificate required alert actually gets sent (and doesn't\nget translated into handshake failure in TLSv1.3).\n\nEnsure that proper reason codes are given for the new TLSv1.3 alerts.\n\nRemove an out of date macro for TLS13_AD_END_OF_EARLY_DATA. This is a left\nover from an earlier TLSv1.3 draft that is no longer used.\n\nFixes #6804\n\nReviewed-by: Tim Hudson \u003ctjh@openssl.org\u003e\n(Merged from https://github.com/openssl/openssl/pull/6809)\n" , "diff": "diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec\nindex 7fc5788..3e092ea 100644\n--- a/crypto/err/openssl.ec\n+++ b/crypto/err/openssl.ec\n@@ -67,10 +67,12 @@ R SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080\n R SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086\n R SSL_R_TLSV1_ALERT_USER_CANCELLED 1090\n R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100\n+R SSL_R_TLSV13_ALERT_MISSING_EXTENSION 1109\n R SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110\n R SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111\n R SSL_R_TLSV1_UNRECOGNIZED_NAME 1112\n R SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113\n R SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114\n R TLS1_AD_UNKNOWN_PSK_IDENTITY 1115\n+R SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED 1116\n R TLS1_AD_NO_APPLICATION_PROTOCOL 1120\ndiff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h\nindex a5b2c55..87b295c 100644\n--- a/include/openssl/sslerr.h\n+++ b/include/openssl/sslerr.h\n@@ -695,6 +695,8 @@ int ERR_load_SSL_strings(void);\n # define SSL_R_SSL_SESSION_ID_TOO_LONG 408\n # define SSL_R_SSL_SESSION_VERSION_MISMATCH 210\n # define SSL_R_STILL_IN_INIT 121\n+# define SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED 1116\n+# define SSL_R_TLSV13_ALERT_MISSING_EXTENSION 1109\n # define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049\n # define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050\n # define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021\ndiff --git a/include/openssl/tls1.h b/include/openssl/tls1.h\nindex 37bdc7d..761a86a 100644\n--- a/include/openssl/tls1.h\n+++ b/include/openssl/tls1.h\n@@ -70,7 +70,6 @@ extern \u0022C\u0022 {\n # define TLS1_AD_USER_CANCELLED 90\n # define TLS1_AD_NO_RENEGOTIATION 100\n /* TLSv1.3 alerts */\n-# define TLS13_AD_END_OF_EARLY_DATA 1\n # define TLS13_AD_MISSING_EXTENSION 109 /* fatal */\n # define TLS13_AD_CERTIFICATE_REQUIRED 116 /* fatal */\n /* codes 110-114 are from RFC3546 */\ndiff --git a/ssl/ssl_err.c b/ssl/ssl_err.c\nindex d3e8056..11331ce 100644\n--- a/ssl/ssl_err.c\n+++ b/ssl/ssl_err.c\n@@ -1137,6 +1137,10 @@ static const ERR_STRING_DATA SSL_str_reasons[] \u003d {\n {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_VERSION_MISMATCH),\n \u0022ssl session version mismatch\u0022},\n {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STILL_IN_INIT), \u0022still in init\u0022},\n+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED),\n+ \u0022tlsv13 alert certificate required\u0022},\n+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV13_ALERT_MISSING_EXTENSION),\n+ \u0022tlsv13 alert missing extension\u0022},\n {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_ACCESS_DENIED),\n \u0022tlsv1 alert access denied\u0022},\n {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECODE_ERROR),\ndiff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c\nindex 264381b..48990fd 100644\n--- a/ssl/tls13_enc.c\n+++ b/ssl/tls13_enc.c\n@@ -701,7 +701,8 @@ int tls13_update_key(SSL *s, int sending)\n \n int tls13_alert_code(int code)\n {\n- if (code \u003d\u003d SSL_AD_MISSING_EXTENSION)\n+ /* There are 2 additional alerts in TLSv1.3 compared to TLSv1.2 */\n+ if (code \u003d\u003d SSL_AD_MISSING_EXTENSION || code \u003d\u003d SSL_AD_CERTIFICATE_REQUIRED)\n return code;\n \n return tls1_alert_code(code);\ndiff --git a/test/ssl-tests/04-client_auth.conf b/test/ssl-tests/04-client_auth.conf\nindex 5696394..8debb66 100644\n--- a/test/ssl-tests/04-client_auth.conf\n+++ b/test/ssl-tests/04-client_auth.conf\n@@ -108,7 +108,7 @@ VerifyMode \u003d Peer\n \n [test-2]\n ExpectedResult \u003d ServerFail\n-ExpectedServerAlert \u003d HandshakeFailure\n+ExpectedServerAlert \u003d CertificateRequired\n \n \n # \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\ndiff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in\nindex a780e00..b9c014d 100644\n--- a/test/ssl-tests/04-client_auth.conf.in\n+++ b/test/ssl-tests/04-client_auth.conf.in\n@@ -101,7 +101,9 @@ sub generate_tests() {\n },\n test \u003d\u003e {\n \u0022ExpectedResult\u0022 \u003d\u003e \u0022ServerFail\u0022,\n- \u0022ExpectedServerAlert\u0022 \u003d\u003e \u0022HandshakeFailure\u0022,\n+ \u0022ExpectedServerAlert\u0022 \u003d\u003e\n+ ($protocol_name eq \u0022flex\u0022 \u0026\u0026 !disabled(\u0022tls1_3\u0022))\n+ ? \u0022CertificateRequired\u0022 : \u0022HandshakeFailure\u0022,\n \u0022Method\u0022 \u003d\u003e $method,\n },\n };\ndiff --git a/test/ssl-tests/26-tls13_client_auth.conf b/test/ssl-tests/26-tls13_client_auth.conf\nindex f769b12..55361dd 100644\n--- a/test/ssl-tests/26-tls13_client_auth.conf\n+++ b/test/ssl-tests/26-tls13_client_auth.conf\n@@ -98,7 +98,7 @@ VerifyMode \u003d Peer\n \n [test-2]\n ExpectedResult \u003d ServerFail\n-ExpectedServerAlert \u003d HandshakeFailure\n+ExpectedServerAlert \u003d CertificateRequired\n \n \n # \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\ndiff --git a/test/ssl-tests/26-tls13_client_auth.conf.in b/test/ssl-tests/26-tls13_client_auth.conf.in\nindex 6da4168..e53cda2 100644\n--- a/test/ssl-tests/26-tls13_client_auth.conf.in\n+++ b/test/ssl-tests/26-tls13_client_auth.conf.in\n@@ -61,7 +61,7 @@ our @tests \u003d (\n },\n test \u003d\u003e {\n \u0022ExpectedResult\u0022 \u003d\u003e \u0022ServerFail\u0022,\n- \u0022ExpectedServerAlert\u0022 \u003d\u003e \u0022HandshakeFailure\u0022,\n+ \u0022ExpectedServerAlert\u0022 \u003d\u003e \u0022CertificateRequired\u0022,\n },\n },\n {\ndiff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c\nindex 5b427e5..cb4b860 100644\n--- a/test/ssl_test_ctx.c\n+++ b/test/ssl_test_ctx.c\n@@ -126,6 +126,7 @@ static const test_enum ssl_alerts[] \u003d {\n {\u0022UnrecognizedName\u0022, SSL_AD_UNRECOGNIZED_NAME},\n {\u0022BadCertificate\u0022, SSL_AD_BAD_CERTIFICATE},\n {\u0022NoApplicationProtocol\u0022, SSL_AD_NO_APPLICATION_PROTOCOL},\n+ {\u0022CertificateRequired\u0022, SSL_AD_CERTIFICATE_REQUIRED},\n };\n \n __owur static int parse_alert(int *alert, const char *value)\n","s":{"c":1752651764,"u": 41634}} ],"g": 43231,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}