From: Matt Caswell <matt@openssl.org>
Date: Wed, 22 Jun 2016 18:41:03 +0000 (+0100)
Subject: Fix SSLv3 ClientAuth alert checking
X-Git-Tag: OpenSSL_1_1_0-pre6~206
X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=10e6d235494f69365914f959f83b448b0b21dca2

Fix SSLv3 ClientAuth alert checking

In TLS during ClientAuth if the CA is not recognised you should get an
UnknownCA alert. In SSLv3 this does not exist and you should get a
BadCertificate alert.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
---

diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in
index e1044f9ebc..495db02c5f 100644
--- a/test/ssl-tests/04-client_auth.conf.in
+++ b/test/ssl-tests/04-client_auth.conf.in
@@ -26,7 +26,13 @@ sub generate_tests() {
     foreach (0..$#protocols) {
         my $protocol = $protocols[$_];
         my $protocol_name = $protocol || "flex";
+        my $caalert;
         if (!$is_disabled[$_]) {
+            if ($protocol_name eq "SSLv3") {
+                $caalert = "BadCertificate";
+            } else {
+                $caalert = "UnknownCA";
+            }
             # Sanity-check simple handshake.
             push @tests, {
                 name => "server-auth-${protocol_name}",
@@ -109,7 +115,7 @@ sub generate_tests() {
                 },
                 test   => {
                     "ExpectedResult" => "ServerFail",
-                    "ServerAlert" => "UnknownCA",
+                    "ServerAlert" => $caalert,
                 },
             };
         }
diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c
index b06ab4828c..4d038d2c23 100644
--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
@@ -83,6 +83,7 @@ static const test_enum ssl_alerts[] = {
     {"UnknownCA", SSL_AD_UNKNOWN_CA},
     {"HandshakeFailure", SSL_AD_HANDSHAKE_FAILURE},
     {"UnrecognizedName", SSL_AD_UNRECOGNIZED_NAME},
+    {"BadCertificate", SSL_AD_BAD_CERTIFICATE}
 };
 
 __owur static int parse_alert(int *alert, const char *value)