handshake: return GNUTLS_E_NO_CERTIFICATE_FOUND when no certificate is found in TLS1.3

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/cert.c b/lib/cert.c
index dbb8edf98230abc6287b48cc6fa64356997d2bd3..9e3a00f484c81e32f1fca2b7bb7e4b16815490bd 100644 (file)
--- a/lib/cert.c
+++ b/lib/cert.c
@@ -243,8 +243,8 @@ gnutls_certificate_allocate_credentials(gnutls_certificate_credentials_t *
  *
  * This function specifies if we (in case of a server) are going to
  * send a certificate request message to the client. If @req is
- * GNUTLS_CERT_REQUIRE then the server will return an error if the
- * peer does not provide a certificate. If you do not call this
+ * GNUTLS_CERT_REQUIRE then the server will return the %GNUTLS_E_NO_CERTIFICATE_FOUND
+ * error if the peer does not provide a certificate. If you do not call this
  * function then the client will not be asked to send a certificate.
  **/
 void

diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c
index 6b4c336fa2d25431658c5ad1c36fa46c07a9b241..5afb2e409c970ac10e496167c95718b1ee856366 100644 (file)
--- a/lib/tls13/certificate.c
+++ b/lib/tls13/certificate.c
@@ -47,8 +47,12 @@ int _gnutls13_recv_certificate(gnutls_session_t session)
        }
 
        ret = _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_CERTIFICATE_PKT, optional, &buf);
-       if (ret < 0)
+       if (ret < 0) {
+               if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET && session->internals.send_cert_req)
+                       return gnutls_assert_val(GNUTLS_E_NO_CERTIFICATE_FOUND);
+
                return gnutls_assert_val(ret);
+       }
 
        if (buf.length == 0 && optional) {
                return 0;