Add missing error with credential/issuer matching
When we iterate over the credential list, the last credential's failure
reason becomes the overall error, so we need to add failure reasons to
the error queue.
Change-Id: If0e09c52b2d9d3d07118b66d93a2e19bc877147c
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/75747
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/crypto/err/ssl.errordata b/crypto/err/ssl.errordata
index 528110c..bcd7327 100644
--- a/crypto/err/ssl.errordata
+++ b/crypto/err/ssl.errordata
@@ -120,6 +120,7 @@
SSL,253,NO_COMMON_SIGNATURE_ALGORITHMS
SSL,178,NO_COMPRESSION_SPECIFIED
SSL,265,NO_GROUPS_SPECIFIED
+SSL,323,NO_MATCHING_ISSUER
SSL,179,NO_METHOD_SPECIFIED
SSL,181,NO_PRIVATE_KEY_ASSIGNED
SSL,182,NO_RENEGOTIATION
diff --git a/gen/crypto/err_data.cc b/gen/crypto/err_data.cc
index 6657eb5..7ad0781 100644
--- a/gen/crypto/err_data.cc
+++ b/gen/crypto/err_data.cc
@@ -198,51 +198,51 @@
0x283500f7,
0x28358c81,
0x2836099a,
- 0x2c3232f2,
+ 0x2c323305,
0x2c3293a3,
- 0x2c333300,
- 0x2c33b312,
- 0x2c343326,
- 0x2c34b338,
- 0x2c353353,
- 0x2c35b365,
- 0x2c363395,
+ 0x2c333313,
+ 0x2c33b325,
+ 0x2c343339,
+ 0x2c34b34b,
+ 0x2c353366,
+ 0x2c35b378,
+ 0x2c3633a8,
0x2c36833a,
- 0x2c3733a2,
- 0x2c37b3ce,
- 0x2c38340c,
- 0x2c38b423,
- 0x2c393441,
- 0x2c39b451,
- 0x2c3a3463,
- 0x2c3ab477,
- 0x2c3b3488,
- 0x2c3bb4a7,
+ 0x2c3733b5,
+ 0x2c37b3e1,
+ 0x2c38341f,
+ 0x2c38b436,
+ 0x2c393454,
+ 0x2c39b464,
+ 0x2c3a3476,
+ 0x2c3ab48a,
+ 0x2c3b349b,
+ 0x2c3bb4ba,
0x2c3c13b5,
0x2c3c93cb,
- 0x2c3d34ec,
+ 0x2c3d34ff,
0x2c3d93e4,
- 0x2c3e3516,
- 0x2c3eb524,
- 0x2c3f353c,
- 0x2c3fb554,
- 0x2c40357e,
+ 0x2c3e3529,
+ 0x2c3eb537,
+ 0x2c3f354f,
+ 0x2c3fb567,
+ 0x2c403591,
0x2c409298,
- 0x2c41358f,
- 0x2c41b5a2,
+ 0x2c4135a2,
+ 0x2c41b5b5,
0x2c42125e,
- 0x2c42b5b3,
+ 0x2c42b5c6,
0x2c43076d,
- 0x2c43b499,
- 0x2c4433e1,
- 0x2c44b561,
- 0x2c453378,
- 0x2c45b3b4,
- 0x2c463431,
- 0x2c46b4bb,
- 0x2c4734d0,
- 0x2c47b509,
- 0x2c4833f3,
+ 0x2c43b4ac,
+ 0x2c4433f4,
+ 0x2c44b574,
+ 0x2c45338b,
+ 0x2c45b3c7,
+ 0x2c463444,
+ 0x2c46b4ce,
+ 0x2c4734e3,
+ 0x2c47b51c,
+ 0x2c483406,
0x30320000,
0x30328015,
0x3033001f,
@@ -460,79 +460,79 @@
0x40582418,
0x4058a43f,
0x4059246e,
- 0x4059a49b,
- 0x405aa4af,
- 0x405b24c7,
- 0x405ba4d8,
- 0x405c24eb,
- 0x405ca52a,
- 0x405d2537,
- 0x405da55c,
- 0x405e259a,
+ 0x4059a4ae,
+ 0x405aa4c2,
+ 0x405b24da,
+ 0x405ba4eb,
+ 0x405c24fe,
+ 0x405ca53d,
+ 0x405d254a,
+ 0x405da56f,
+ 0x405e25ad,
0x405e8afe,
- 0x405f25bb,
- 0x405fa5c8,
- 0x406025d6,
- 0x4060a5f8,
- 0x40612659,
- 0x4061a691,
- 0x406226a8,
- 0x4062a6b9,
- 0x40632706,
- 0x4063a71b,
- 0x40642732,
- 0x4064a75e,
- 0x40652779,
- 0x4065a790,
- 0x406627a8,
- 0x4066a7d2,
- 0x406727fd,
- 0x4067a842,
- 0x4068288a,
- 0x4068a8ab,
- 0x406928dd,
- 0x4069a90b,
- 0x406a292c,
- 0x406aa94c,
- 0x406b2ad4,
- 0x406baaf7,
- 0x406c2b0d,
- 0x406cae17,
- 0x406d2e46,
- 0x406dae6e,
- 0x406e2e9c,
- 0x406eaee9,
- 0x406f2f42,
- 0x406faf7a,
- 0x40702f8d,
- 0x4070afaa,
+ 0x405f25ce,
+ 0x405fa5db,
+ 0x406025e9,
+ 0x4060a60b,
+ 0x4061266c,
+ 0x4061a6a4,
+ 0x406226bb,
+ 0x4062a6cc,
+ 0x40632719,
+ 0x4063a72e,
+ 0x40642745,
+ 0x4064a771,
+ 0x4065278c,
+ 0x4065a7a3,
+ 0x406627bb,
+ 0x4066a7e5,
+ 0x40672810,
+ 0x4067a855,
+ 0x4068289d,
+ 0x4068a8be,
+ 0x406928f0,
+ 0x4069a91e,
+ 0x406a293f,
+ 0x406aa95f,
+ 0x406b2ae7,
+ 0x406bab0a,
+ 0x406c2b20,
+ 0x406cae2a,
+ 0x406d2e59,
+ 0x406dae81,
+ 0x406e2eaf,
+ 0x406eaefc,
+ 0x406f2f55,
+ 0x406faf8d,
+ 0x40702fa0,
+ 0x4070afbd,
0x4071084d,
- 0x4071afbc,
- 0x40722fcf,
- 0x4072b005,
- 0x4073301d,
+ 0x4071afcf,
+ 0x40722fe2,
+ 0x4072b018,
+ 0x40733030,
0x407395cd,
- 0x40743031,
- 0x4074b04b,
- 0x4075305c,
- 0x4075b070,
- 0x4076307e,
+ 0x40743044,
+ 0x4074b05e,
+ 0x4075306f,
+ 0x4075b083,
+ 0x40763091,
0x4076935b,
- 0x407730a3,
- 0x4077b0e3,
- 0x407830fe,
- 0x4078b137,
- 0x4079314e,
- 0x4079b164,
- 0x407a3190,
- 0x407ab1a3,
- 0x407b31b8,
- 0x407bb1ca,
- 0x407c31fb,
- 0x407cb204,
- 0x407d28c6,
+ 0x407730b6,
+ 0x4077b0f6,
+ 0x40783111,
+ 0x4078b14a,
+ 0x40793161,
+ 0x4079b177,
+ 0x407a31a3,
+ 0x407ab1b6,
+ 0x407b31cb,
+ 0x407bb1dd,
+ 0x407c320e,
+ 0x407cb217,
+ 0x407d28d9,
0x407da20d,
- 0x407e3113,
+ 0x407e3126,
0x407ea44f,
0x407f1e32,
0x407fa005,
@@ -540,58 +540,58 @@
0x40809e5a,
0x408122bd,
0x4081a10c,
- 0x40822e87,
+ 0x40822e9a,
0x40829bad,
0x4083242a,
- 0x4083a743,
+ 0x4083a756,
0x40841e6e,
0x4084a487,
- 0x408524fc,
- 0x4085a620,
- 0x4086257c,
+ 0x4085250f,
+ 0x4085a633,
+ 0x4086258f,
0x4086a227,
- 0x40872ecd,
- 0x4087a66e,
+ 0x40872ee0,
+ 0x4087a681,
0x40881beb,
- 0x4088a855,
+ 0x4088a868,
0x40891c3a,
0x40899bc7,
- 0x408a2b45,
+ 0x408a2b58,
0x408a99e5,
- 0x408b31df,
- 0x408baf57,
- 0x408c250c,
+ 0x408b31f2,
+ 0x408baf6a,
+ 0x408c251f,
0x408d1f56,
0x408d9ea0,
0x408e2086,
0x408ea37a,
- 0x408f2869,
- 0x408fa63c,
- 0x4090281e,
- 0x4090a54e,
- 0x40912b2d,
+ 0x408f287c,
+ 0x408fa64f,
+ 0x40902831,
+ 0x4090a561,
+ 0x40912b40,
0x40919a1d,
0x40921c87,
- 0x4092af08,
- 0x40932fe8,
+ 0x4092af1b,
+ 0x40932ffb,
0x4093a238,
0x40941e82,
- 0x4094ab5e,
- 0x409526ca,
- 0x4095b170,
- 0x40962eb4,
+ 0x4094ab71,
+ 0x409526dd,
+ 0x4095b183,
+ 0x40962ec7,
0x4096a198,
0x40972283,
0x4097a0d5,
0x40981ce7,
- 0x4098a6de,
- 0x40992f24,
+ 0x4098a6f1,
+ 0x40992f37,
0x4099a3a7,
0x409a2340,
0x409a9a01,
0x409b1edc,
0x409b9f07,
- 0x409c30c5,
+ 0x409c30d8,
0x409c9f2f,
0x409d2154,
0x409da122,
@@ -602,40 +602,41 @@
0x40a021f5,
0x40a0a0ef,
0x40a1213d,
- 0x41f429ff,
- 0x41f92a91,
- 0x41fe2984,
- 0x41feac3a,
- 0x41ff2d68,
- 0x42032a18,
- 0x42082a3a,
- 0x4208aa76,
- 0x42092968,
- 0x4209aab0,
- 0x420a29bf,
- 0x420aa99f,
- 0x420b29df,
- 0x420baa58,
- 0x420c2d84,
- 0x420cab6e,
- 0x420d2c21,
- 0x420dac58,
- 0x42122c8b,
- 0x42172d4b,
- 0x4217accd,
- 0x421c2cef,
- 0x421f2caa,
- 0x42212dfc,
- 0x42262d2e,
- 0x422b2dda,
- 0x422babfc,
- 0x422c2dbc,
- 0x422cabaf,
- 0x422d2b88,
- 0x422dad9b,
- 0x422e2bdb,
- 0x42302d0a,
- 0x4230ac72,
+ 0x40a1a49b,
+ 0x41f42a12,
+ 0x41f92aa4,
+ 0x41fe2997,
+ 0x41feac4d,
+ 0x41ff2d7b,
+ 0x42032a2b,
+ 0x42082a4d,
+ 0x4208aa89,
+ 0x4209297b,
+ 0x4209aac3,
+ 0x420a29d2,
+ 0x420aa9b2,
+ 0x420b29f2,
+ 0x420baa6b,
+ 0x420c2d97,
+ 0x420cab81,
+ 0x420d2c34,
+ 0x420dac6b,
+ 0x42122c9e,
+ 0x42172d5e,
+ 0x4217ace0,
+ 0x421c2d02,
+ 0x421f2cbd,
+ 0x42212e0f,
+ 0x42262d41,
+ 0x422b2ded,
+ 0x422bac0f,
+ 0x422c2dcf,
+ 0x422cabc2,
+ 0x422d2b9b,
+ 0x422dadae,
+ 0x422e2bee,
+ 0x42302d1d,
+ 0x4230ac85,
0x44320778,
0x44328787,
0x44330793,
@@ -691,71 +692,71 @@
0x4c4194ad,
0x4c421616,
0x4c4293f5,
- 0x503235c5,
- 0x5032b5d4,
- 0x503335df,
- 0x5033b5ef,
- 0x50343608,
- 0x5034b622,
- 0x50353630,
- 0x5035b646,
- 0x50363658,
- 0x5036b66e,
- 0x50373687,
- 0x5037b69a,
- 0x503836b2,
- 0x5038b6c3,
- 0x503936d8,
- 0x5039b6ec,
- 0x503a370c,
- 0x503ab722,
- 0x503b373a,
- 0x503bb74c,
- 0x503c3768,
- 0x503cb77f,
- 0x503d3798,
- 0x503db7ae,
- 0x503e37bb,
- 0x503eb7d1,
- 0x503f37e3,
+ 0x503235d8,
+ 0x5032b5e7,
+ 0x503335f2,
+ 0x5033b602,
+ 0x5034361b,
+ 0x5034b635,
+ 0x50353643,
+ 0x5035b659,
+ 0x5036366b,
+ 0x5036b681,
+ 0x5037369a,
+ 0x5037b6ad,
+ 0x503836c5,
+ 0x5038b6d6,
+ 0x503936eb,
+ 0x5039b6ff,
+ 0x503a371f,
+ 0x503ab735,
+ 0x503b374d,
+ 0x503bb75f,
+ 0x503c377b,
+ 0x503cb792,
+ 0x503d37ab,
+ 0x503db7c1,
+ 0x503e37ce,
+ 0x503eb7e4,
+ 0x503f37f6,
0x503f83b3,
- 0x504037f6,
- 0x5040b806,
- 0x50413820,
- 0x5041b82f,
- 0x50423849,
- 0x5042b866,
- 0x50433876,
- 0x5043b886,
- 0x504438a3,
+ 0x50403809,
+ 0x5040b819,
+ 0x50413833,
+ 0x5041b842,
+ 0x5042385c,
+ 0x5042b879,
+ 0x50433889,
+ 0x5043b899,
+ 0x504438b6,
0x50448469,
- 0x504538b7,
- 0x5045b8d5,
- 0x504638e8,
- 0x5046b8fe,
- 0x50473910,
- 0x5047b925,
- 0x5048394b,
- 0x5048b959,
- 0x5049396c,
- 0x5049b981,
- 0x504a3997,
- 0x504ab9a7,
- 0x504b39c7,
- 0x504bb9da,
- 0x504c39fd,
- 0x504cba2b,
- 0x504d3a58,
- 0x504dba75,
- 0x504e3a90,
- 0x504ebaac,
- 0x504f3abe,
- 0x504fbad5,
- 0x50503ae4,
+ 0x504538ca,
+ 0x5045b8e8,
+ 0x504638fb,
+ 0x5046b911,
+ 0x50473923,
+ 0x5047b938,
+ 0x5048395e,
+ 0x5048b96c,
+ 0x5049397f,
+ 0x5049b994,
+ 0x504a39aa,
+ 0x504ab9ba,
+ 0x504b39da,
+ 0x504bb9ed,
+ 0x504c3a10,
+ 0x504cba3e,
+ 0x504d3a6b,
+ 0x504dba88,
+ 0x504e3aa3,
+ 0x504ebabf,
+ 0x504f3ad1,
+ 0x504fbae8,
+ 0x50503af7,
0x50508729,
- 0x50513af7,
- 0x5051b895,
- 0x50523a3d,
+ 0x50513b0a,
+ 0x5051b8a8,
+ 0x50523a50,
0x58320fd1,
0x68320f93,
0x68328ceb,
@@ -800,19 +801,19 @@
0x7c321274,
0x803214c0,
0x80328090,
- 0x803332c1,
+ 0x803332d4,
0x803380b9,
- 0x803432d0,
- 0x8034b238,
- 0x80353256,
- 0x8035b2e4,
- 0x80363298,
- 0x8036b247,
- 0x8037328a,
- 0x8037b225,
- 0x803832ab,
- 0x8038b267,
- 0x8039327c,
+ 0x803432e3,
+ 0x8034b24b,
+ 0x80353269,
+ 0x8035b2f7,
+ 0x803632ab,
+ 0x8036b25a,
+ 0x8037329d,
+ 0x8037b238,
+ 0x803832be,
+ 0x8038b27a,
+ 0x8039328f,
};
extern const size_t kOpenSSLReasonValuesLen;
@@ -1274,6 +1275,7 @@
"NO_COMMON_SIGNATURE_ALGORITHMS\0"
"NO_COMPRESSION_SPECIFIED\0"
"NO_GROUPS_SPECIFIED\0"
+ "NO_MATCHING_ISSUER\0"
"NO_METHOD_SPECIFIED\0"
"NO_PRIVATE_KEY_ASSIGNED\0"
"NO_RENEGOTIATION\0"
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index aa63b8f..b6de7f2 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -6067,6 +6067,7 @@
#define SSL_R_INVALID_OUTER_EXTENSION 320
#define SSL_R_INCONSISTENT_ECH_NEGOTIATION 321
#define SSL_R_INVALID_ALPS_CODEPOINT 322
+#define SSL_R_NO_MATCHING_ISSUER 323
#define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000
#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index 3f8040b..509fdcb 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -1302,6 +1302,7 @@
}
if (hs->credential == nullptr) {
// The error from the last attempt is in the error queue.
+ assert(ERR_peek_error() != 0);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return ssl_hs_error;
}
diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc
index 45afcf1..25c0bf3 100644
--- a/ssl/handshake_server.cc
+++ b/ssl/handshake_server.cc
@@ -752,6 +752,7 @@
}
if (!params.ok()) {
// The error from the last attempt is in the error queue.
+ assert(ERR_peek_error() != 0);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return ssl_hs_error;
}
diff --git a/ssl/internal.h b/ssl/internal.h
index bf8bf36..fec94ec 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -1935,7 +1935,8 @@
bool ssl_get_credential_list(SSL_HANDSHAKE *hs, Array<SSL_CREDENTIAL *> *out);
// ssl_credential_matches_requested_issuers returns true if |cred| is a
-// usable match for any requested issuers in |hs|.
+// usable match for any requested issuers in |hs|, and false with an error
+// otherwise.
bool ssl_credential_matches_requested_issuers(SSL_HANDSHAKE *hs,
const SSL_CREDENTIAL *cred);
diff --git a/ssl/ssl_credential.cc b/ssl/ssl_credential.cc
index 184d15e..aa6236f 100644
--- a/ssl/ssl_credential.cc
+++ b/ssl/ssl_credential.cc
@@ -62,27 +62,26 @@
bool ssl_credential_matches_requested_issuers(SSL_HANDSHAKE *hs,
const SSL_CREDENTIAL *cred) {
- if (cred->must_match_issuer) {
- // If we have names sent by the CA extension, and this
- // credential matches it, it is good.
- if (hs->ca_names != nullptr) {
- for (const CRYPTO_BUFFER *ca_name : hs->ca_names.get()) {
- if (cred->ChainContainsIssuer(Span(CRYPTO_BUFFER_data(ca_name),
- CRYPTO_BUFFER_len(ca_name)))) {
- return true;
- }
- }
- }
- // TODO(bbe): Other forms of issuer matching go here.
-
- // If this cred must match a requested issuer and we
- // get here, we should not use it.
- return false;
+ if (!cred->must_match_issuer) {
+ // This credential does not need to match a requested issuer, so
+ // it is good to use without a match.
+ return true;
}
- // This cred does not need to match a requested issuer, so
- // it is good to use without a match.
- return true;
+ // If we have names sent by the CA extension, and this
+ // credential matches it, it is good.
+ if (hs->ca_names != nullptr) {
+ for (const CRYPTO_BUFFER *ca_name : hs->ca_names.get()) {
+ if (cred->ChainContainsIssuer(
+ Span(CRYPTO_BUFFER_data(ca_name), CRYPTO_BUFFER_len(ca_name)))) {
+ return true;
+ }
+ }
+ }
+ // TODO(bbe): Other forms of issuer matching go here.
+
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_MATCHING_ISSUER);
+ return false;
}
BSSL_NAMESPACE_END
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index 35b3109..adfb971 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc
@@ -903,6 +903,7 @@
}
if (hs->credential == nullptr) {
// The error from the last attempt is in the error queue.
+ assert(ERR_peek_error() != 0);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return ssl_hs_error;
}
diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc
index c59477e..a03529a 100644
--- a/ssl/tls13_server.cc
+++ b/ssl/tls13_server.cc
@@ -293,6 +293,7 @@
}
if (hs->credential == nullptr) {
// The error from the last attempt is in the error queue.
+ assert(ERR_peek_error() != 0);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return ssl_hs_error;
}
