From 2a0164bf28fa2d83a274f290ec9aeaa230fb74d8 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Mon, 4 Mar 2019 17:17:47 +0100
Subject: tls13/certificate: utilize "certificate_required" alert

This could make errors more distinguishable when the client sends no
certificates or a bad certificate.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 lib/alert.c                     | 4 ++++
 lib/errors.c                    | 2 ++
 lib/includes/gnutls/gnutls.h.in | 1 +
 lib/tls13/certificate.c         | 9 +++++++--
 4 files changed, 14 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/alert.c b/lib/alert.c
index 6926edf339..dd99c0fc52 100644
--- a/lib/alert.c
+++ b/lib/alert.c
@@ -328,6 +328,10 @@ int gnutls_error_to_alert(int err, int *level)
 		ret = GNUTLS_A_UNRECOGNIZED_NAME;
 		_level = GNUTLS_AL_FATAL;
 		break;
+	case GNUTLS_E_CERTIFICATE_REQUIRED:
+		ret = GNUTLS_A_CERTIFICATE_REQUIRED;
+		_level = GNUTLS_AL_FATAL;
+		break;
 	default:
 		ret = GNUTLS_A_INTERNAL_ERROR;
 		_level = GNUTLS_AL_FATAL;
diff --git a/lib/errors.c b/lib/errors.c
index 520958b70c..0ce58043f6 100644
--- a/lib/errors.c
+++ b/lib/errors.c
@@ -93,6 +93,8 @@ static const gnutls_error_entry error_entries[] = {
 		    GNUTLS_E_ERROR_IN_FINISHED_PACKET),
 	ERROR_ENTRY(N_("No certificate was found."),
 		    GNUTLS_E_NO_CERTIFICATE_FOUND),
+	ERROR_ENTRY(N_("Certificate is required."),
+		    GNUTLS_E_CERTIFICATE_REQUIRED),
 	ERROR_ENTRY(N_
 		    ("The given DSA key is incompatible with the selected TLS protocol."),
 		    GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL),
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 68ee239c10..5187501a7c 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -3145,6 +3145,7 @@ void gnutls_fips140_set_mode(gnutls_fips_mode_t mode, unsigned flags);
 #define GNUTLS_E_UNKNOWN_PK_ALGORITHM -80
 #define GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS -81
 #define GNUTLS_E_RECEIVED_DISALLOWED_NAME -82 /* GNUTLS_A_ILLEGAL_PARAMETER */
+#define GNUTLS_E_CERTIFICATE_REQUIRED -112 /* GNUTLS_A_CERTIFICATE_REQUIRED */
 
   /* returned if you need to generate temporary RSA
    * parameters. These are needed for export cipher suites.
diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c
index 2560ca3427..91d0a7fe68 100644
--- a/lib/tls13/certificate.c
+++ b/lib/tls13/certificate.c
@@ -100,8 +100,13 @@ int _gnutls13_recv_certificate(gnutls_session_t session)
 
 	ret = parse_cert_list(session, buf.data, buf.length);
 	if (ret < 0) {
-		if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional)
-			ret = 0;
+		if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) {
+			if (optional)
+				ret = 0;
+			else if (session->security_parameters.entity ==
+				 GNUTLS_SERVER)
+				ret = GNUTLS_E_CERTIFICATE_REQUIRED;
+		}
 		gnutls_assert();
 		goto cleanup;
 	}
-- 
cgit v1.2.1