From 104566f3c0ca92ebf42c1abc54aba5d09d98b58a Mon Sep 17 00:00:00 2001 From: Cameron Bytheway Date: Wed, 20 Nov 2024 13:40:53 -0700 Subject: [PATCH 1/2] feat: add alert mappings for certificate errors --- tests/unit/s2n_alerts_protocol_test.c | 4 +- tests/unit/s2n_mutual_auth_test.c | 4 +- tls/s2n_alerts.c | 56 ++++++++++++++++++++++----- 3 files changed, 51 insertions(+), 13 deletions(-) diff --git a/tests/unit/s2n_alerts_protocol_test.c b/tests/unit/s2n_alerts_protocol_test.c index d566448b092..441d566b52b 100644 --- a/tests/unit/s2n_alerts_protocol_test.c +++ b/tests/unit/s2n_alerts_protocol_test.c @@ -270,8 +270,8 @@ int main(int argc, char **argv) case S2N_ERR_CERT_UNTRUSTED: EXPECT_SUCCESS(s2n_connection_set_config(client, untrusted_config)); - EXPECT_FAILURE_WITH_ERRNO(s2n_negotiate_test_server_and_client(server, client), - S2N_ERR_CERT_UNTRUSTED); + EXPECT_FAILURE_WITH_ALERT(s2n_negotiate_test_server_and_client(server, client), + S2N_ERR_CERT_UNTRUSTED, S2N_TLS_ALERT_CERTIFICATE_UNKNOWN); failed_conn = client; closed_conn = server; diff --git a/tests/unit/s2n_mutual_auth_test.c b/tests/unit/s2n_mutual_auth_test.c index c3d307cbd1e..520653ed029 100644 --- a/tests/unit/s2n_mutual_auth_test.c +++ b/tests/unit/s2n_mutual_auth_test.c @@ -369,8 +369,8 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_connection_set_io_pair(client_conn, &io_pair)); EXPECT_SUCCESS(s2n_connection_set_io_pair(server_conn, &io_pair)); - EXPECT_FAILURE_WITH_ERRNO(s2n_negotiate_test_server_and_client(server_conn, client_conn), - S2N_ERR_CERT_UNTRUSTED); + EXPECT_FAILURE_WITH_ALERT(s2n_negotiate_test_server_and_client(server_conn, client_conn), + S2N_ERR_CERT_UNTRUSTED, S2N_TLS_ALERT_CERTIFICATE_UNKNOWN); /* Ensure that a client certificate was received on the server, indicating that the * validation error occurred when processing the client's certificate, rather than the diff --git a/tls/s2n_alerts.c b/tls/s2n_alerts.c index 73c46c63da9..635df6ec745 100644 --- a/tls/s2n_alerts.c +++ b/tls/s2n_alerts.c @@ -65,6 +65,53 @@ static S2N_RESULT s2n_translate_protocol_error_to_alert(int error_code, uint8_t S2N_ALERT_CASE(S2N_ERR_KTLS_KEYUPDATE, S2N_TLS_ALERT_UNEXPECTED_MESSAGE); + /* For errors involving certificates */ + + /* This error is used in several ways so make it a general certificate issue + *= https://www.rfc-editor.org/rfc/rfc8446#section-6.2 + *# certificate_unknown: Some other (unspecified) issue arose in + *# processing the certificate, rendering it unacceptable. + */ + S2N_ALERT_CASE(S2N_ERR_CERT_UNTRUSTED, S2N_TLS_ALERT_CERTIFICATE_UNKNOWN); + + /* + *= https://www.rfc-editor.org/rfc/rfc8446#section-6.2 + *# certificate_revoked: A certificate was revoked by its signer. + */ + S2N_ALERT_CASE(S2N_ERR_CERT_REVOKED, S2N_TLS_ALERT_CERTIFICATE_REVOKED); + + /* + *= https://www.rfc-editor.org/rfc/rfc8446#section-6.2 + *# certificate_expired: A certificate has expired or is not currently + *# valid. + */ + S2N_ALERT_CASE(S2N_ERR_CERT_NOT_YET_VALID, S2N_TLS_ALERT_CERTIFICATE_EXPIRED); + S2N_ALERT_CASE(S2N_ERR_CERT_EXPIRED, S2N_TLS_ALERT_CERTIFICATE_EXPIRED); + + /* + *= https://www.rfc-editor.org/rfc/rfc8446#section-6.2 + *# unsupported_certificate: A certificate was of an unsupported type. + */ + S2N_ALERT_CASE(S2N_ERR_CERT_TYPE_UNSUPPORTED, S2N_TLS_ALERT_UNSUPPORTED_CERTIFICATE); + S2N_ALERT_CASE(S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT, S2N_TLS_ALERT_UNSUPPORTED_CERTIFICATE); + + /* + *= https://www.rfc-editor.org/rfc/rfc8446#section-6.2 + *# access_denied: A valid certificate or PSK was received, but when + *# access control was applied, the sender decided not to proceed with + *# negotiation. + */ + S2N_ALERT_CASE(S2N_ERR_CERT_REJECTED, S2N_TLS_ALERT_ACCESS_DENIED); + + /* + *= https://www.rfc-editor.org/rfc/rfc8446#section-6.2 + *# bad_certificate: A certificate was corrupt, contained signatures + *# that did not verify correctly, etc. + */ + S2N_ALERT_CASE(S2N_ERR_CERT_MAX_CHAIN_DEPTH_EXCEEDED, S2N_TLS_ALERT_BAD_CERTIFICATE); + S2N_ALERT_CASE(S2N_ERR_CERT_INVALID, S2N_TLS_ALERT_BAD_CERTIFICATE); + S2N_ALERT_CASE(S2N_ERR_DECODE_CERTIFICATE, S2N_TLS_ALERT_BAD_CERTIFICATE); + /* TODO: Add mappings for other protocol errors. */ S2N_NO_ALERT(S2N_ERR_ENCRYPT); @@ -87,7 +134,6 @@ static S2N_RESULT s2n_translate_protocol_error_to_alert(int error_code, uint8_t S2N_NO_ALERT(S2N_ERR_HASH_WIPE_FAILED); S2N_NO_ALERT(S2N_ERR_HASH_NOT_READY); S2N_NO_ALERT(S2N_ERR_ALLOW_MD5_FOR_FIPS_FAILED); - S2N_NO_ALERT(S2N_ERR_DECODE_CERTIFICATE); S2N_NO_ALERT(S2N_ERR_DECODE_PRIVATE_KEY); S2N_NO_ALERT(S2N_ERR_INVALID_HELLO_RETRY); S2N_NO_ALERT(S2N_ERR_INVALID_SIGNATURE_ALGORITHM); @@ -108,14 +154,6 @@ static S2N_RESULT s2n_translate_protocol_error_to_alert(int error_code, uint8_t S2N_NO_ALERT(S2N_ERR_SHUTDOWN_CLOSED); S2N_NO_ALERT(S2N_ERR_NON_EMPTY_RENEGOTIATION_INFO); S2N_NO_ALERT(S2N_ERR_RECORD_LIMIT); - S2N_NO_ALERT(S2N_ERR_CERT_UNTRUSTED); - S2N_NO_ALERT(S2N_ERR_CERT_REVOKED); - S2N_NO_ALERT(S2N_ERR_CERT_NOT_YET_VALID); - S2N_NO_ALERT(S2N_ERR_CERT_EXPIRED); - S2N_NO_ALERT(S2N_ERR_CERT_TYPE_UNSUPPORTED); - S2N_NO_ALERT(S2N_ERR_CERT_INVALID); - S2N_NO_ALERT(S2N_ERR_CERT_MAX_CHAIN_DEPTH_EXCEEDED); - S2N_NO_ALERT(S2N_ERR_CERT_REJECTED); S2N_NO_ALERT(S2N_ERR_CRL_LOOKUP_FAILED); S2N_NO_ALERT(S2N_ERR_CRL_SIGNATURE); S2N_NO_ALERT(S2N_ERR_CRL_ISSUER); From ca85ea99824750f4a18848b20ec3723462a9cf96 Mon Sep 17 00:00:00 2001 From: Cameron Bytheway Date: Wed, 20 Nov 2024 16:34:37 -0700 Subject: [PATCH 2/2] Update tls/s2n_alerts.c Co-authored-by: Sam Clark <3758302+goatgoose@users.noreply.github.com> --- tls/s2n_alerts.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tls/s2n_alerts.c b/tls/s2n_alerts.c index 635df6ec745..8766331b887 100644 --- a/tls/s2n_alerts.c +++ b/tls/s2n_alerts.c @@ -93,7 +93,6 @@ static S2N_RESULT s2n_translate_protocol_error_to_alert(int error_code, uint8_t *# unsupported_certificate: A certificate was of an unsupported type. */ S2N_ALERT_CASE(S2N_ERR_CERT_TYPE_UNSUPPORTED, S2N_TLS_ALERT_UNSUPPORTED_CERTIFICATE); - S2N_ALERT_CASE(S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT, S2N_TLS_ALERT_UNSUPPORTED_CERTIFICATE); /* *= https://www.rfc-editor.org/rfc/rfc8446#section-6.2