From: ejanchivdorj <ejanchivdorj@tableau.com>
Date: Thu, 11 Mar 2021 07:50:13 +0000 (-0800)
Subject: CURLcode: add CURLE_SSL_CLIENTCERT
X-Git-Tag: curl-7_77_0~102
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=94241a9e78397a2aaf89a213e6ada61e7de7ee02;p=thirdparty%2Fcurl.git

CURLcode: add CURLE_SSL_CLIENTCERT

When a TLS server requests a client certificate during handshake and
none can be provided, libcurl now returns this new error code
CURLE_SSL_CLIENTCERT

Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.

Closes #6721
---

diff --git a/docs/libcurl/libcurl-errors.3 b/docs/libcurl/libcurl-errors.3
index ae8c674e9d..82005f21f4 100644
--- a/docs/libcurl/libcurl-errors.3
+++ b/docs/libcurl/libcurl-errors.3
@@ -262,6 +262,8 @@ be one out of several problems, see the error buffer for details.
 .IP "CURLE_QUIC_CONNECT_ERROR (96)"
 QUIC connection error. This error may be caused by an SSL library error. QUIC
 is the protocol used for HTTP/3 transfers.
+.IP "CURLE_SSL_CLIENTCERT (98)"
+SSL Client Certificate required.
 .IP "CURLE_OBSOLETE*"
 These error codes will never be returned. They were used in an old libcurl
 version and are currently unused.
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index 0d089ec434..9e27f5ef00 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -126,6 +126,7 @@ CURLE_SSL_CACERT                7.10          7.62.0
 CURLE_SSL_CACERT_BADFILE        7.16.0
 CURLE_SSL_CERTPROBLEM           7.10
 CURLE_SSL_CIPHER                7.10
+CURLE_SSL_CLIENTCERT            7.77.0
 CURLE_SSL_CONNECT_ERROR         7.1
 CURLE_SSL_CRL_BADFILE           7.19.0
 CURLE_SSL_ENGINE_INITFAILED     7.12.3
diff --git a/include/curl/curl.h b/include/curl/curl.h
index cd3207b1f9..1354fba325 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -612,6 +612,7 @@ typedef enum {
   CURLE_HTTP3,                   /* 95 - An HTTP/3 layer problem */
   CURLE_QUIC_CONNECT_ERROR,      /* 96 - QUIC connection error */
   CURLE_PROXY,                   /* 97 - proxy handshake error */
+  CURLE_SSL_CLIENTCERT,          /* 98 - client-side certificate required */
   CURL_LAST /* never use! */
 } CURLcode;
 
diff --git a/lib/strerror.c b/lib/strerror.c
index 3862aabd6f..5298a0d76c 100644
--- a/lib/strerror.c
+++ b/lib/strerror.c
@@ -320,9 +320,12 @@ curl_easy_strerror(CURLcode error)
   case CURLE_QUIC_CONNECT_ERROR:
     return "QUIC connection error";
 
- case CURLE_PROXY:
+  case CURLE_PROXY:
     return "proxy handshake error";
 
+  case CURLE_SSL_CLIENTCERT:
+    return "SSL Client Certificate required";
+
     /* error codes not used by current libcurl */
   case CURLE_OBSOLETE20:
   case CURLE_OBSOLETE24:
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index e1c15addd7..de484d563d 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3292,6 +3292,19 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data,
              error_buffer */
           strcpy(error_buffer, "SSL certificate verification failed");
       }
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \
+    !defined(LIBRESSL_VERSION_NUMBER) && \
+    !defined(OPENSSL_IS_BORINGSSL))
+      /* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on
+         OpenSSL version above v1.1.1, not Libre SSL nor BoringSSL */
+      else if((lib == ERR_LIB_SSL) &&
+              (reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) {
+          /* If client certificate is required, communicate the
+             error to client */
+          result = CURLE_SSL_CLIENTCERT;
+          ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));
+      }
+#endif
       else {
         result = CURLE_SSL_CONNECT_ERROR;
         ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));
diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
index 4465682057..6ec37a3cc3 100644
--- a/lib/vtls/sectransp.c
+++ b/lib/vtls/sectransp.c
@@ -2708,8 +2708,9 @@ sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn,
 #if CURL_BUILD_MAC_10_6
       /* Only returned when kSSLSessionOptionBreakOnCertRequested is set */
       case errSSLClientCertRequested:
-        failf(data, "The server has requested a client certificate");
-        break;
+        failf(data, "Server requested a client certificate during the "
+              "handshake");
+        return CURLE_SSL_CLIENTCERT;
 #endif
 #if CURL_BUILD_MAC_10_9
       /* Alias for errSSLLast, end of error range */
diff --git a/tests/data/test1538 b/tests/data/test1538
index ec86dd0750..4d7535ced7 100644
--- a/tests/data/test1538
+++ b/tests/data/test1538
@@ -130,7 +130,8 @@ e94: An authentication function returned an error
 e95: HTTP/3 error
 e96: QUIC connection error
 e97: proxy handshake error
-e98: Unknown error
+e98: SSL Client Certificate required
+e99: Unknown error
 m-1: Please call curl_multi_perform() soon
 m0: No error
 m1: Invalid multi handle