Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add alert mappings for certificate errors #4919

Merged
merged 4 commits into from
Nov 21, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions tests/unit/s2n_alerts_protocol_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -270,8 +270,8 @@ int main(int argc, char **argv)
case S2N_ERR_CERT_UNTRUSTED:
EXPECT_SUCCESS(s2n_connection_set_config(client, untrusted_config));

EXPECT_FAILURE_WITH_ERRNO(s2n_negotiate_test_server_and_client(server, client),
S2N_ERR_CERT_UNTRUSTED);
EXPECT_FAILURE_WITH_ALERT(s2n_negotiate_test_server_and_client(server, client),
S2N_ERR_CERT_UNTRUSTED, S2N_TLS_ALERT_CERTIFICATE_UNKNOWN);

failed_conn = client;
closed_conn = server;
Expand Down
4 changes: 2 additions & 2 deletions tests/unit/s2n_mutual_auth_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -369,8 +369,8 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(s2n_connection_set_io_pair(client_conn, &io_pair));
EXPECT_SUCCESS(s2n_connection_set_io_pair(server_conn, &io_pair));

EXPECT_FAILURE_WITH_ERRNO(s2n_negotiate_test_server_and_client(server_conn, client_conn),
S2N_ERR_CERT_UNTRUSTED);
EXPECT_FAILURE_WITH_ALERT(s2n_negotiate_test_server_and_client(server_conn, client_conn),
S2N_ERR_CERT_UNTRUSTED, S2N_TLS_ALERT_CERTIFICATE_UNKNOWN);

/* Ensure that a client certificate was received on the server, indicating that the
* validation error occurred when processing the client's certificate, rather than the
Expand Down
56 changes: 47 additions & 9 deletions tls/s2n_alerts.c
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,53 @@ static S2N_RESULT s2n_translate_protocol_error_to_alert(int error_code, uint8_t

S2N_ALERT_CASE(S2N_ERR_KTLS_KEYUPDATE, S2N_TLS_ALERT_UNEXPECTED_MESSAGE);

/* For errors involving certificates */

/* This error is used in several ways so make it a general certificate issue
*= https://www.rfc-editor.org/rfc/rfc8446#section-6.2
*# certificate_unknown: Some other (unspecified) issue arose in
*# processing the certificate, rendering it unacceptable.
*/
S2N_ALERT_CASE(S2N_ERR_CERT_UNTRUSTED, S2N_TLS_ALERT_CERTIFICATE_UNKNOWN);

/*
*= https://www.rfc-editor.org/rfc/rfc8446#section-6.2
*# certificate_revoked: A certificate was revoked by its signer.
*/
S2N_ALERT_CASE(S2N_ERR_CERT_REVOKED, S2N_TLS_ALERT_CERTIFICATE_REVOKED);

/*
*= https://www.rfc-editor.org/rfc/rfc8446#section-6.2
*# certificate_expired: A certificate has expired or is not currently
*# valid.
*/
S2N_ALERT_CASE(S2N_ERR_CERT_NOT_YET_VALID, S2N_TLS_ALERT_CERTIFICATE_EXPIRED);
S2N_ALERT_CASE(S2N_ERR_CERT_EXPIRED, S2N_TLS_ALERT_CERTIFICATE_EXPIRED);

/*
*= https://www.rfc-editor.org/rfc/rfc8446#section-6.2
*# unsupported_certificate: A certificate was of an unsupported type.
*/
S2N_ALERT_CASE(S2N_ERR_CERT_TYPE_UNSUPPORTED, S2N_TLS_ALERT_UNSUPPORTED_CERTIFICATE);
S2N_ALERT_CASE(S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT, S2N_TLS_ALERT_UNSUPPORTED_CERTIFICATE);
camshaft marked this conversation as resolved.
Show resolved Hide resolved

/*
*= https://www.rfc-editor.org/rfc/rfc8446#section-6.2
*# access_denied: A valid certificate or PSK was received, but when
*# access control was applied, the sender decided not to proceed with
*# negotiation.
*/
S2N_ALERT_CASE(S2N_ERR_CERT_REJECTED, S2N_TLS_ALERT_ACCESS_DENIED);

/*
*= https://www.rfc-editor.org/rfc/rfc8446#section-6.2
*# bad_certificate: A certificate was corrupt, contained signatures
*# that did not verify correctly, etc.
*/
S2N_ALERT_CASE(S2N_ERR_CERT_MAX_CHAIN_DEPTH_EXCEEDED, S2N_TLS_ALERT_BAD_CERTIFICATE);
S2N_ALERT_CASE(S2N_ERR_CERT_INVALID, S2N_TLS_ALERT_BAD_CERTIFICATE);
S2N_ALERT_CASE(S2N_ERR_DECODE_CERTIFICATE, S2N_TLS_ALERT_BAD_CERTIFICATE);

/* TODO: Add mappings for other protocol errors.
*/
S2N_NO_ALERT(S2N_ERR_ENCRYPT);
Expand All @@ -87,7 +134,6 @@ static S2N_RESULT s2n_translate_protocol_error_to_alert(int error_code, uint8_t
S2N_NO_ALERT(S2N_ERR_HASH_WIPE_FAILED);
S2N_NO_ALERT(S2N_ERR_HASH_NOT_READY);
S2N_NO_ALERT(S2N_ERR_ALLOW_MD5_FOR_FIPS_FAILED);
S2N_NO_ALERT(S2N_ERR_DECODE_CERTIFICATE);
S2N_NO_ALERT(S2N_ERR_DECODE_PRIVATE_KEY);
S2N_NO_ALERT(S2N_ERR_INVALID_HELLO_RETRY);
S2N_NO_ALERT(S2N_ERR_INVALID_SIGNATURE_ALGORITHM);
Expand All @@ -108,14 +154,6 @@ static S2N_RESULT s2n_translate_protocol_error_to_alert(int error_code, uint8_t
S2N_NO_ALERT(S2N_ERR_SHUTDOWN_CLOSED);
S2N_NO_ALERT(S2N_ERR_NON_EMPTY_RENEGOTIATION_INFO);
S2N_NO_ALERT(S2N_ERR_RECORD_LIMIT);
S2N_NO_ALERT(S2N_ERR_CERT_UNTRUSTED);
S2N_NO_ALERT(S2N_ERR_CERT_REVOKED);
S2N_NO_ALERT(S2N_ERR_CERT_NOT_YET_VALID);
S2N_NO_ALERT(S2N_ERR_CERT_EXPIRED);
S2N_NO_ALERT(S2N_ERR_CERT_TYPE_UNSUPPORTED);
S2N_NO_ALERT(S2N_ERR_CERT_INVALID);
S2N_NO_ALERT(S2N_ERR_CERT_MAX_CHAIN_DEPTH_EXCEEDED);
S2N_NO_ALERT(S2N_ERR_CERT_REJECTED);
S2N_NO_ALERT(S2N_ERR_CRL_LOOKUP_FAILED);
S2N_NO_ALERT(S2N_ERR_CRL_SIGNATURE);
S2N_NO_ALERT(S2N_ERR_CRL_ISSUER);
Expand Down
Loading