CURLcode: add CURLE_SSL_CLIENTCERT

author ejanchivdorj <ejanchivdorj@tableau.com>

Thu, 11 Mar 2021 07:50:13 +0000 (23:50 -0800)

committer Daniel Stenberg <daniel@haxx.se>

Mon, 3 May 2021 15:11:01 +0000 (17:11 +0200)
author ejanchivdorj <ejanchivdorj@tableau.com>
Thu, 11 Mar 2021 07:50:13 +0000 (23:50 -0800)
committer Daniel Stenberg <daniel@haxx.se>
Mon, 3 May 2021 15:11:01 +0000 (17:11 +0200)
diff --git a/docs/libcurl/libcurl-errors.3 b/docs/libcurl/libcurl-errors.3

index ae8c674e9d61719d5226b8d48d4faa902a34642a..82005f21f4bbc1f57a40b52bb63bd0e04320e6f3 100644 (file)
--- a/docs/libcurl/libcurl-errors.3
+++ b/docs/libcurl/libcurl-errors.3
@@ -262,6 +262,8 @@ be one out of several problems, see the error buffer for details.
  .IP "CURLE_QUIC_CONNECT_ERROR (96)"
  QUIC connection error. This error may be caused by an SSL library error. QUIC
  is the protocol used for HTTP/3 transfers.
+.IP "CURLE_SSL_CLIENTCERT (98)"
+SSL Client Certificate required.
  .IP "CURLE_OBSOLETE*"
  These error codes will never be returned. They were used in an old libcurl
  version and are currently unused.
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions

index 0d089ec434acdbe808dd532dbbd4e13f508b743f..9e27f5ef00c909faf3a8b65f278a6ef3589a909b 100644 (file)
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -126,6 +126,7 @@ CURLE_SSL_CACERT                7.10          7.62.0
  CURLE_SSL_CACERT_BADFILE        7.16.0
  CURLE_SSL_CERTPROBLEM           7.10
  CURLE_SSL_CIPHER                7.10
+CURLE_SSL_CLIENTCERT            7.77.0
  CURLE_SSL_CONNECT_ERROR         7.1
  CURLE_SSL_CRL_BADFILE           7.19.0
  CURLE_SSL_ENGINE_INITFAILED     7.12.3
diff --git a/include/curl/curl.h b/include/curl/curl.h

index cd3207b1f976f48cf0c2d8c1096988941cd25777..1354fba325ad54d5c467c08cb88c4881df4d2b92 100644 (file)
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -612,6 +612,7 @@ typedef enum {
    CURLE_HTTP3,                   /* 95 - An HTTP/3 layer problem */
    CURLE_QUIC_CONNECT_ERROR,      /* 96 - QUIC connection error */
    CURLE_PROXY,                   /* 97 - proxy handshake error */
+  CURLE_SSL_CLIENTCERT,          /* 98 - client-side certificate required */
    CURL_LAST /* never use! */
  } CURLcode;
  
diff --git a/lib/strerror.c b/lib/strerror.c

index 3862aabd6fb180a6dded5b48ac496e3530b717c1..5298a0d76c1364b5c51962e64d34ad1eb9e42b24 100644 (file)
--- a/lib/strerror.c
+++ b/lib/strerror.c
@@ -320,9 +320,12 @@ curl_easy_strerror(CURLcode error)
    case CURLE_QUIC_CONNECT_ERROR:
      return "QUIC connection error";
  
- case CURLE_PROXY:
+  case CURLE_PROXY:
      return "proxy handshake error";
  
+  case CURLE_SSL_CLIENTCERT:
+    return "SSL Client Certificate required";
+
      /* error codes not used by current libcurl */
    case CURLE_OBSOLETE20:
    case CURLE_OBSOLETE24:
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c

index e1c15addd7b512d8256ad5ea9d10ee04558c8d90..de484d563d46833f25bd00e9056e600d0586be7c 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3292,6 +3292,19 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data,
               error_buffer */
            strcpy(error_buffer, "SSL certificate verification failed");
        }
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \
+    !defined(LIBRESSL_VERSION_NUMBER) && \
+    !defined(OPENSSL_IS_BORINGSSL))
+      /* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on
+         OpenSSL version above v1.1.1, not Libre SSL nor BoringSSL */
+      else if((lib == ERR_LIB_SSL) &&
+              (reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) {
+          /* If client certificate is required, communicate the
+             error to client */
+          result = CURLE_SSL_CLIENTCERT;
+          ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));
+      }
+#endif
        else {
          result = CURLE_SSL_CONNECT_ERROR;
          ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));
diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c

index 446568205776a1709c3e0e3a88de644f034f8147..6ec37a3cc3f6832f0419cf3a7111ab6b76b16fb2 100644 (file)
--- a/lib/vtls/sectransp.c
+++ b/lib/vtls/sectransp.c
@@ -2708,8 +2708,9 @@ sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn,
  #if CURL_BUILD_MAC_10_6
        /* Only returned when kSSLSessionOptionBreakOnCertRequested is set */
        case errSSLClientCertRequested:
-        failf(data, "The server has requested a client certificate");
-        break;
+        failf(data, "Server requested a client certificate during the "
+              "handshake");
+        return CURLE_SSL_CLIENTCERT;
  #endif
  #if CURL_BUILD_MAC_10_9
        /* Alias for errSSLLast, end of error range */
diff --git a/tests/data/test1538 b/tests/data/test1538

index ec86dd075007e79ffcffa3c85e711254cb4dcef4..4d7535ced7ddecf061bd594303c5e68bc74380ee 100644 (file)
--- a/tests/data/test1538
+++ b/tests/data/test1538
@@ -130,7 +130,8 @@ e94: An authentication function returned an error
  e95: HTTP/3 error
  e96: QUIC connection error
  e97: proxy handshake error
-e98: Unknown error
+e98: SSL Client Certificate required
+e99: Unknown error
  m-1: Please call curl_multi_perform() soon
  m0: No error
  m1: Invalid multi handle
author	ejanchivdorj <ejanchivdorj@tableau.com>
	Thu, 11 Mar 2021 07:50:13 +0000 (23:50 -0800)
committer	Daniel Stenberg <daniel@haxx.se>
	Mon, 3 May 2021 15:11:01 +0000 (17:11 +0200)
docs/libcurl/libcurl-errors.3		patch \| blob \| blame \| history
docs/libcurl/symbols-in-versions		patch \| blob \| blame \| history
include/curl/curl.h		patch \| blob \| blame \| history
lib/strerror.c		patch \| blob \| blame \| history
lib/vtls/openssl.c		patch \| blob \| blame \| history
lib/vtls/sectransp.c		patch \| blob \| blame \| history
tests/data/test1538		patch \| blob \| blame \| history