tls13/certificate: utilize "certificate_required" alert

This could make errors more distinguishable when the client sends no
certificates or a bad certificate.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

diff --git a/lib/alert.c b/lib/alert.c
index 6926edf3395d13c917e0dbc1c583de8168fdbc57..dd99c0fc52cd4f738655ba2cacc78ceac690bd6c 100644 (file)
--- a/lib/alert.c
+++ b/lib/alert.c
@@ -328,6 +328,10 @@ int gnutls_error_to_alert(int err, int *level)
                ret = GNUTLS_A_UNRECOGNIZED_NAME;
                _level = GNUTLS_AL_FATAL;
                break;
+       case GNUTLS_E_CERTIFICATE_REQUIRED:
+               ret = GNUTLS_A_CERTIFICATE_REQUIRED;
+               _level = GNUTLS_AL_FATAL;
+               break;
        default:
                ret = GNUTLS_A_INTERNAL_ERROR;
                _level = GNUTLS_AL_FATAL;

diff --git a/lib/errors.c b/lib/errors.c
index 520958b70c2cef4e2a1623514c6df194541c39c1..0ce58043f6f5c30f322a5290be4d502927968cb3 100644 (file)
--- a/lib/errors.c
+++ b/lib/errors.c
@@ -93,6 +93,8 @@ static const gnutls_error_entry error_entries[] = {
                    GNUTLS_E_ERROR_IN_FINISHED_PACKET),
        ERROR_ENTRY(N_("No certificate was found."),
                    GNUTLS_E_NO_CERTIFICATE_FOUND),
+       ERROR_ENTRY(N_("Certificate is required."),
+                   GNUTLS_E_CERTIFICATE_REQUIRED),
        ERROR_ENTRY(N_
                    ("The given DSA key is incompatible with the selected TLS protocol."),
                    GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL),

diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 68ee239c10a813fbbf47c0087319e76d705283e6..5187501a7c5a2ecfd57a59407eb36f711f01cac0 100644 (file)
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -3145,6 +3145,7 @@ void gnutls_fips140_set_mode(gnutls_fips_mode_t mode, unsigned flags);
 #define GNUTLS_E_UNKNOWN_PK_ALGORITHM -80
 #define GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS -81
 #define GNUTLS_E_RECEIVED_DISALLOWED_NAME -82 /* GNUTLS_A_ILLEGAL_PARAMETER */
+#define GNUTLS_E_CERTIFICATE_REQUIRED -112 /* GNUTLS_A_CERTIFICATE_REQUIRED */
 
   /* returned if you need to generate temporary RSA
    * parameters. These are needed for export cipher suites.

diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c
index 2560ca3427fe03b72c8c73575f28fcf3e9e3ab7d..91d0a7fe684d0d06960db5335978e391e6ca30df 100644 (file)
--- a/lib/tls13/certificate.c
+++ b/lib/tls13/certificate.c
@@ -100,8 +100,13 @@ int _gnutls13_recv_certificate(gnutls_session_t session)
 
        ret = parse_cert_list(session, buf.data, buf.length);
        if (ret < 0) {
-               if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional)
-                       ret = 0;
+               if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) {
+                       if (optional)
+                               ret = 0;
+                       else if (session->security_parameters.entity ==
+                                GNUTLS_SERVER)
+                               ret = GNUTLS_E_CERTIFICATE_REQUIRED;
+               }
                gnutls_assert();
                goto cleanup;
        }

diff --git a/tests/cert-status.c b/tests/cert-status.c
index 83606ee9202ecb8fd9b0a03ad10f1c9e1c0b209e..c9b4dc2ea368de8329221431b28110514d5321f4 100644 (file)
--- a/tests/cert-status.c
+++ b/tests/cert-status.c
@@ -252,11 +252,11 @@ void doit(void)
 
        start("NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_CERT_IGNORE, 0);
        start("NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_CERT_REQUEST, 0);
-       start("NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_CERT_REQUIRE, GNUTLS_E_NO_CERTIFICATE_FOUND);
+       start("NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_CERT_REQUIRE, GNUTLS_E_CERTIFICATE_REQUIRED);
 
        start("NORMAL", GNUTLS_CERT_IGNORE, 0);
        start("NORMAL", GNUTLS_CERT_REQUEST, 0);
-       start("NORMAL", GNUTLS_CERT_REQUIRE, GNUTLS_E_NO_CERTIFICATE_FOUND);
+       start("NORMAL", GNUTLS_CERT_REQUIRE, GNUTLS_E_CERTIFICATE_REQUIRED);
 }
 
 #endif                         /* _WIN32 */

diff --git a/tests/empty_retrieve_function.c b/tests/empty_retrieve_function.c
index 7ea920494c12bf896eb3308a9e7da4a818f13bcb..c12499bc34f7478dff2fb11aba4119f45cc34283 100644 (file)
--- a/tests/empty_retrieve_function.c
+++ b/tests/empty_retrieve_function.c
@@ -110,17 +110,17 @@ void doit(void)
 
        gnutls_certificate_allocate_credentials(&clicred);
        gnutls_certificate_set_retrieve_function(clicred, cert_cb1);
-       _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1);
+       _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1);
        gnutls_certificate_free_credentials(clicred);
 
        gnutls_certificate_allocate_credentials(&clicred);
        gnutls_certificate_set_retrieve_function2(clicred, cert_cb2);
-       _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1);
+       _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1);
        gnutls_certificate_free_credentials(clicred);
 
        gnutls_certificate_allocate_credentials(&clicred);
        gnutls_certificate_set_retrieve_function3(clicred, cert_cb3);
-       _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1);
+       _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1);
        gnutls_certificate_free_credentials(clicred);
 
        gnutls_certificate_free_credentials(x509_cred);

diff --git a/tests/null_retrieve_function.c b/tests/null_retrieve_function.c
index f165c8b07b7382f62f5e259dd8b4555e0598f035..3e65975326b49b9189b06877b513b97191963450 100644 (file)
--- a/tests/null_retrieve_function.c
+++ b/tests/null_retrieve_function.c
@@ -102,19 +102,19 @@ void doit(void)
        gnutls_certificate_allocate_credentials(&clicred);
        gnutls_certificate_set_retrieve_function(clicred, cert_cb1);
        gnutls_certificate_set_retrieve_function(clicred, NULL);
-       _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1);
+       _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1);
        gnutls_certificate_free_credentials(clicred);
 
        gnutls_certificate_allocate_credentials(&clicred);
        gnutls_certificate_set_retrieve_function2(clicred, cert_cb2);
        gnutls_certificate_set_retrieve_function2(clicred, NULL);
-       _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1);
+       _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1);
        gnutls_certificate_free_credentials(clicred);
 
        gnutls_certificate_allocate_credentials(&clicred);
        gnutls_certificate_set_retrieve_function3(clicred, cert_cb3);
        gnutls_certificate_set_retrieve_function3(clicred, NULL);
-       _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1);
+       _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1);
        gnutls_certificate_free_credentials(clicred);
 
        gnutls_certificate_free_credentials(x509_cred);

diff --git a/tests/tls13/post-handshake-with-cert-auto.c b/tests/tls13/post-handshake-with-cert-auto.c
index 9d920da80ce9731e564f9a2641a1c99eaae664dc..74f7d8898ac800ec883b2528d6b3393dd3e3ee61 100644 (file)
--- a/tests/tls13/post-handshake-with-cert-auto.c
+++ b/tests/tls13/post-handshake-with-cert-auto.c
@@ -360,7 +360,7 @@ void start(const char *name, int err, int type, unsigned max_auths, unsigned sen
 void doit(void)
 {
        start("multi-reauth", 0, GNUTLS_CERT_REQUIRE, MAX_AUTHS, 1);
-       start("reauth-require with no-cert", GNUTLS_E_NO_CERTIFICATE_FOUND, GNUTLS_CERT_REQUIRE, 1, 0);
+       start("reauth-require with no-cert", GNUTLS_E_CERTIFICATE_REQUIRED, GNUTLS_CERT_REQUIRE, 1, 0);
        start("reauth-request with no-cert", 0, GNUTLS_CERT_REQUEST, 1, 0);
 }
 #endif                         /* _WIN32 */

diff --git a/tests/tls13/post-handshake-with-cert.c b/tests/tls13/post-handshake-with-cert.c
index d24e06db705dfc6b0f9e87b33d7f36cfea339fb8..4875151621ab35485959dba263ef0d0fd56185a0 100644 (file)
--- a/tests/tls13/post-handshake-with-cert.c
+++ b/tests/tls13/post-handshake-with-cert.c
@@ -377,7 +377,7 @@ void start(const char *name, int err, int type, unsigned max_auths, unsigned sen
 void doit(void)
 {
        start("multi-reauth", 0, GNUTLS_CERT_REQUIRE, MAX_AUTHS, 1);
-       start("reauth-require with no-cert", GNUTLS_E_NO_CERTIFICATE_FOUND, GNUTLS_CERT_REQUIRE, 1, 0);
+       start("reauth-require with no-cert", GNUTLS_E_CERTIFICATE_REQUIRED, GNUTLS_CERT_REQUIRE, 1, 0);
        start("reauth-request with no-cert", 0, GNUTLS_CERT_REQUEST, 1, 0);
 }
 #endif                         /* _WIN32 */

diff --git a/tests/tls13/post-handshake-with-psk.c b/tests/tls13/post-handshake-with-psk.c
index a85b57ab7526999b2157b52c94a320e645ed6740..10eb83c94039e1be47021d4e2cd2a48de6465fab 100644 (file)
--- a/tests/tls13/post-handshake-with-psk.c
+++ b/tests/tls13/post-handshake-with-psk.c
@@ -361,7 +361,7 @@ void start(const char *name, int err, int type, unsigned max_auths, unsigned sen
 void doit(void)
 {
        start("multi-reauth", 0, GNUTLS_CERT_REQUIRE, MAX_AUTHS, 1);
-       start("reauth-require with no-cert", GNUTLS_E_NO_CERTIFICATE_FOUND, GNUTLS_CERT_REQUIRE, 1, 0);
+       start("reauth-require with no-cert", GNUTLS_E_CERTIFICATE_REQUIRED, GNUTLS_CERT_REQUIRE, 1, 0);
        start("reauth-request with no-cert", 0, GNUTLS_CERT_REQUEST, 1, 0);
 }
 #endif                         /* _WIN32 */