From: Daiki Ueno Date: Tue, 13 Aug 2024 16:17:29 +0000 (+0900) Subject: compress-cert: don't send bad_certificate alert manually X-Git-Tag: 3.8.7~2^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6295cd2c317efc57acd943c97ffd950445341459;p=thirdparty%2Fgnutls.git compress-cert: don't send bad_certificate alert manually The library API is not designed to proactively send alert by itself, but it is rather a responsibility of the application to decide to which alert to be sent when. This removes the manual call to gnutls_alert_send in the code handling TLS 1.3 Certificate message when a decompression error happens. Signed-off-by: Daiki Ueno --- diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c index d5fc847c51..b6355ea0eb 100644 --- a/lib/tls13/certificate.c +++ b/lib/tls13/certificate.c @@ -95,8 +95,7 @@ int _gnutls13_recv_certificate(gnutls_session_t session) ret = decompress_certificate(session, &buf); if (ret < 0) { gnutls_assert(); - gnutls_alert_send(session, GNUTLS_AL_FATAL, - GNUTLS_A_BAD_CERTIFICATE); + ret = GNUTLS_E_CERTIFICATE_ERROR; goto cleanup; } } diff --git a/tests/tls13/compress-cert-neg2.c b/tests/tls13/compress-cert-neg2.c index 16b58e5648..2d8bf07003 100644 --- a/tests/tls13/compress-cert-neg2.c +++ b/tests/tls13/compress-cert-neg2.c @@ -124,7 +124,9 @@ static void client(int fd) do { ret = gnutls_handshake(session); } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); - if (ret >= 0) + if (ret < 0) + gnutls_alert_send_appropriate(session, ret); + else fail("client: handshake should have failed\n"); gnutls_bye(session, GNUTLS_SHUT_WR);