diff options
author | Daiki Ueno <dueno@redhat.com> | 2019-03-04 17:17:47 +0100 |
---|---|---|
committer | Daiki Ueno <dueno@redhat.com> | 2019-03-05 15:02:46 +0100 |
commit | 2a0164bf28fa2d83a274f290ec9aeaa230fb74d8 (patch) | |
tree | cfebee47d1b204d3892de62e919235c85479062b | |
parent | 8507645bc6aef19f3755143886995b0a61f894d6 (diff) | |
download | gnutls-2a0164bf28fa2d83a274f290ec9aeaa230fb74d8.tar.gz |
tls13/certificate: utilize "certificate_required" alerttmp-cert-req
This could make errors more distinguishable when the client sends no
certificates or a bad certificate.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
-rw-r--r-- | lib/alert.c | 4 | ||||
-rw-r--r-- | lib/errors.c | 2 | ||||
-rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 1 | ||||
-rw-r--r-- | lib/tls13/certificate.c | 9 | ||||
-rw-r--r-- | tests/cert-status.c | 4 | ||||
-rw-r--r-- | tests/empty_retrieve_function.c | 6 | ||||
-rw-r--r-- | tests/null_retrieve_function.c | 6 | ||||
-rw-r--r-- | tests/tls13/post-handshake-with-cert-auto.c | 2 | ||||
-rw-r--r-- | tests/tls13/post-handshake-with-cert.c | 2 | ||||
-rw-r--r-- | tests/tls13/post-handshake-with-psk.c | 2 |
10 files changed, 25 insertions, 13 deletions
diff --git a/lib/alert.c b/lib/alert.c index 6926edf339..dd99c0fc52 100644 --- a/lib/alert.c +++ b/lib/alert.c @@ -328,6 +328,10 @@ int gnutls_error_to_alert(int err, int *level) ret = GNUTLS_A_UNRECOGNIZED_NAME; _level = GNUTLS_AL_FATAL; break; + case GNUTLS_E_CERTIFICATE_REQUIRED: + ret = GNUTLS_A_CERTIFICATE_REQUIRED; + _level = GNUTLS_AL_FATAL; + break; default: ret = GNUTLS_A_INTERNAL_ERROR; _level = GNUTLS_AL_FATAL; diff --git a/lib/errors.c b/lib/errors.c index 520958b70c..0ce58043f6 100644 --- a/lib/errors.c +++ b/lib/errors.c @@ -93,6 +93,8 @@ static const gnutls_error_entry error_entries[] = { GNUTLS_E_ERROR_IN_FINISHED_PACKET), ERROR_ENTRY(N_("No certificate was found."), GNUTLS_E_NO_CERTIFICATE_FOUND), + ERROR_ENTRY(N_("Certificate is required."), + GNUTLS_E_CERTIFICATE_REQUIRED), ERROR_ENTRY(N_ ("The given DSA key is incompatible with the selected TLS protocol."), GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL), diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 68ee239c10..5187501a7c 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -3145,6 +3145,7 @@ void gnutls_fips140_set_mode(gnutls_fips_mode_t mode, unsigned flags); #define GNUTLS_E_UNKNOWN_PK_ALGORITHM -80 #define GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS -81 #define GNUTLS_E_RECEIVED_DISALLOWED_NAME -82 /* GNUTLS_A_ILLEGAL_PARAMETER */ +#define GNUTLS_E_CERTIFICATE_REQUIRED -112 /* GNUTLS_A_CERTIFICATE_REQUIRED */ /* returned if you need to generate temporary RSA * parameters. These are needed for export cipher suites. diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c index 2560ca3427..91d0a7fe68 100644 --- a/lib/tls13/certificate.c +++ b/lib/tls13/certificate.c @@ -100,8 +100,13 @@ int _gnutls13_recv_certificate(gnutls_session_t session) ret = parse_cert_list(session, buf.data, buf.length); if (ret < 0) { - if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional) - ret = 0; + if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) { + if (optional) + ret = 0; + else if (session->security_parameters.entity == + GNUTLS_SERVER) + ret = GNUTLS_E_CERTIFICATE_REQUIRED; + } gnutls_assert(); goto cleanup; } diff --git a/tests/cert-status.c b/tests/cert-status.c index 83606ee920..c9b4dc2ea3 100644 --- a/tests/cert-status.c +++ b/tests/cert-status.c @@ -252,11 +252,11 @@ void doit(void) start("NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_CERT_IGNORE, 0); start("NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_CERT_REQUEST, 0); - start("NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_CERT_REQUIRE, GNUTLS_E_NO_CERTIFICATE_FOUND); + start("NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_CERT_REQUIRE, GNUTLS_E_CERTIFICATE_REQUIRED); start("NORMAL", GNUTLS_CERT_IGNORE, 0); start("NORMAL", GNUTLS_CERT_REQUEST, 0); - start("NORMAL", GNUTLS_CERT_REQUIRE, GNUTLS_E_NO_CERTIFICATE_FOUND); + start("NORMAL", GNUTLS_CERT_REQUIRE, GNUTLS_E_CERTIFICATE_REQUIRED); } #endif /* _WIN32 */ diff --git a/tests/empty_retrieve_function.c b/tests/empty_retrieve_function.c index 7ea920494c..c12499bc34 100644 --- a/tests/empty_retrieve_function.c +++ b/tests/empty_retrieve_function.c @@ -110,17 +110,17 @@ void doit(void) gnutls_certificate_allocate_credentials(&clicred); gnutls_certificate_set_retrieve_function(clicred, cert_cb1); - _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1); + _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1); gnutls_certificate_free_credentials(clicred); gnutls_certificate_allocate_credentials(&clicred); gnutls_certificate_set_retrieve_function2(clicred, cert_cb2); - _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1); + _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1); gnutls_certificate_free_credentials(clicred); gnutls_certificate_allocate_credentials(&clicred); gnutls_certificate_set_retrieve_function3(clicred, cert_cb3); - _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1); + _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1); gnutls_certificate_free_credentials(clicred); gnutls_certificate_free_credentials(x509_cred); diff --git a/tests/null_retrieve_function.c b/tests/null_retrieve_function.c index f165c8b07b..3e65975326 100644 --- a/tests/null_retrieve_function.c +++ b/tests/null_retrieve_function.c @@ -102,19 +102,19 @@ void doit(void) gnutls_certificate_allocate_credentials(&clicred); gnutls_certificate_set_retrieve_function(clicred, cert_cb1); gnutls_certificate_set_retrieve_function(clicred, NULL); - _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1); + _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1); gnutls_certificate_free_credentials(clicred); gnutls_certificate_allocate_credentials(&clicred); gnutls_certificate_set_retrieve_function2(clicred, cert_cb2); gnutls_certificate_set_retrieve_function2(clicred, NULL); - _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1); + _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1); gnutls_certificate_free_credentials(clicred); gnutls_certificate_allocate_credentials(&clicred); gnutls_certificate_set_retrieve_function3(clicred, cert_cb3); gnutls_certificate_set_retrieve_function3(clicred, NULL); - _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1); + _test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1); gnutls_certificate_free_credentials(clicred); gnutls_certificate_free_credentials(x509_cred); diff --git a/tests/tls13/post-handshake-with-cert-auto.c b/tests/tls13/post-handshake-with-cert-auto.c index 9d920da80c..74f7d8898a 100644 --- a/tests/tls13/post-handshake-with-cert-auto.c +++ b/tests/tls13/post-handshake-with-cert-auto.c @@ -360,7 +360,7 @@ void start(const char *name, int err, int type, unsigned max_auths, unsigned sen void doit(void) { start("multi-reauth", 0, GNUTLS_CERT_REQUIRE, MAX_AUTHS, 1); - start("reauth-require with no-cert", GNUTLS_E_NO_CERTIFICATE_FOUND, GNUTLS_CERT_REQUIRE, 1, 0); + start("reauth-require with no-cert", GNUTLS_E_CERTIFICATE_REQUIRED, GNUTLS_CERT_REQUIRE, 1, 0); start("reauth-request with no-cert", 0, GNUTLS_CERT_REQUEST, 1, 0); } #endif /* _WIN32 */ diff --git a/tests/tls13/post-handshake-with-cert.c b/tests/tls13/post-handshake-with-cert.c index d24e06db70..4875151621 100644 --- a/tests/tls13/post-handshake-with-cert.c +++ b/tests/tls13/post-handshake-with-cert.c @@ -377,7 +377,7 @@ void start(const char *name, int err, int type, unsigned max_auths, unsigned sen void doit(void) { start("multi-reauth", 0, GNUTLS_CERT_REQUIRE, MAX_AUTHS, 1); - start("reauth-require with no-cert", GNUTLS_E_NO_CERTIFICATE_FOUND, GNUTLS_CERT_REQUIRE, 1, 0); + start("reauth-require with no-cert", GNUTLS_E_CERTIFICATE_REQUIRED, GNUTLS_CERT_REQUIRE, 1, 0); start("reauth-request with no-cert", 0, GNUTLS_CERT_REQUEST, 1, 0); } #endif /* _WIN32 */ diff --git a/tests/tls13/post-handshake-with-psk.c b/tests/tls13/post-handshake-with-psk.c index a85b57ab75..10eb83c940 100644 --- a/tests/tls13/post-handshake-with-psk.c +++ b/tests/tls13/post-handshake-with-psk.c @@ -361,7 +361,7 @@ void start(const char *name, int err, int type, unsigned max_auths, unsigned sen void doit(void) { start("multi-reauth", 0, GNUTLS_CERT_REQUIRE, MAX_AUTHS, 1); - start("reauth-require with no-cert", GNUTLS_E_NO_CERTIFICATE_FOUND, GNUTLS_CERT_REQUIRE, 1, 0); + start("reauth-require with no-cert", GNUTLS_E_CERTIFICATE_REQUIRED, GNUTLS_CERT_REQUIRE, 1, 0); start("reauth-request with no-cert", 0, GNUTLS_CERT_REQUEST, 1, 0); } #endif /* _WIN32 */ |