diff options
| author | Daiki Ueno <dueno@redhat.com> | 2019-03-04 17:17:47 +0100 |
|---|---|---|
| committer | Daiki Ueno <dueno@redhat.com> | 2019-03-05 15:02:46 +0100 |
| commit | 2a0164bf28fa2d83a274f290ec9aeaa230fb74d8 (patch) | |
| tree | cfebee47d1b204d3892de62e919235c85479062b /lib | |
| parent | 8507645bc6aef19f3755143886995b0a61f894d6 (diff) | |
| download | gnutls-2a0164bf28fa2d83a274f290ec9aeaa230fb74d8.tar.gz | |
tls13/certificate: utilize "certificate_required" alerttmp-cert-req
This could make errors more distinguishable when the client sends no
certificates or a bad certificate.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/alert.c | 4 | ||||
| -rw-r--r-- | lib/errors.c | 2 | ||||
| -rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 1 | ||||
| -rw-r--r-- | lib/tls13/certificate.c | 9 |
4 files changed, 14 insertions, 2 deletions
diff --git a/lib/alert.c b/lib/alert.c index 6926edf339..dd99c0fc52 100644 --- a/lib/alert.c +++ b/lib/alert.c @@ -328,6 +328,10 @@ int gnutls_error_to_alert(int err, int *level) ret = GNUTLS_A_UNRECOGNIZED_NAME; _level = GNUTLS_AL_FATAL; break; + case GNUTLS_E_CERTIFICATE_REQUIRED: + ret = GNUTLS_A_CERTIFICATE_REQUIRED; + _level = GNUTLS_AL_FATAL; + break; default: ret = GNUTLS_A_INTERNAL_ERROR; _level = GNUTLS_AL_FATAL; diff --git a/lib/errors.c b/lib/errors.c index 520958b70c..0ce58043f6 100644 --- a/lib/errors.c +++ b/lib/errors.c @@ -93,6 +93,8 @@ static const gnutls_error_entry error_entries[] = { GNUTLS_E_ERROR_IN_FINISHED_PACKET), ERROR_ENTRY(N_("No certificate was found."), GNUTLS_E_NO_CERTIFICATE_FOUND), + ERROR_ENTRY(N_("Certificate is required."), + GNUTLS_E_CERTIFICATE_REQUIRED), ERROR_ENTRY(N_ ("The given DSA key is incompatible with the selected TLS protocol."), GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL), diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 68ee239c10..5187501a7c 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -3145,6 +3145,7 @@ void gnutls_fips140_set_mode(gnutls_fips_mode_t mode, unsigned flags); #define GNUTLS_E_UNKNOWN_PK_ALGORITHM -80 #define GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS -81 #define GNUTLS_E_RECEIVED_DISALLOWED_NAME -82 /* GNUTLS_A_ILLEGAL_PARAMETER */ +#define GNUTLS_E_CERTIFICATE_REQUIRED -112 /* GNUTLS_A_CERTIFICATE_REQUIRED */ /* returned if you need to generate temporary RSA * parameters. These are needed for export cipher suites. diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c index 2560ca3427..91d0a7fe68 100644 --- a/lib/tls13/certificate.c +++ b/lib/tls13/certificate.c @@ -100,8 +100,13 @@ int _gnutls13_recv_certificate(gnutls_session_t session) ret = parse_cert_list(session, buf.data, buf.length); if (ret < 0) { - if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional) - ret = 0; + if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) { + if (optional) + ret = 0; + else if (session->security_parameters.entity == + GNUTLS_SERVER) + ret = GNUTLS_E_CERTIFICATE_REQUIRED; + } gnutls_assert(); goto cleanup; } |