Merge branch 'tmp-cert-req' into 'master'

TLS 1.3: utilize "certificate_required" alert

Closes #715

See merge request gnutls/gnutls!946

10 files changed, 29 insertions, 13 deletions

diff --git a/lib/alert.c b/lib/alert.c
index a2d1725e6b..dd99c0fc52 100644
--- a/lib/alert.c
+++ b/lib/alert.c
@@ -84,6 +84,8 @@ static const gnutls_alert_entry sup_alerts[] = {
 	ALERT_ENTRY(GNUTLS_A_NO_APPLICATION_PROTOCOL,
 		    N_
 		    ("No supported application protocol could be negotiated")),
+	ALERT_ENTRY(GNUTLS_A_CERTIFICATE_REQUIRED,
+		    N_("Certificate is required")),
 	{0, NULL, NULL}
 };
 
@@ -326,6 +328,10 @@ int gnutls_error_to_alert(int err, int *level)
 		ret = GNUTLS_A_UNRECOGNIZED_NAME;
 		_level = GNUTLS_AL_FATAL;
 		break;
+	case GNUTLS_E_CERTIFICATE_REQUIRED:
+		ret = GNUTLS_A_CERTIFICATE_REQUIRED;
+		_level = GNUTLS_AL_FATAL;
+		break;
 	default:
 		ret = GNUTLS_A_INTERNAL_ERROR;
 		_level = GNUTLS_AL_FATAL;
diff --git a/lib/errors.c b/lib/errors.c
index 520958b70c..0ce58043f6 100644
--- a/lib/errors.c
+++ b/lib/errors.c
@@ -93,6 +93,8 @@ static const gnutls_error_entry error_entries[] = {
 		    GNUTLS_E_ERROR_IN_FINISHED_PACKET),
 	ERROR_ENTRY(N_("No certificate was found."),
 		    GNUTLS_E_NO_CERTIFICATE_FOUND),
+	ERROR_ENTRY(N_("Certificate is required."),
+		    GNUTLS_E_CERTIFICATE_REQUIRED),
 	ERROR_ENTRY(N_
 		    ("The given DSA key is incompatible with the selected TLS protocol."),
 		    GNUTLS_E_INCOMPAT_DSA_KEY_WITH_TLS_PROTOCOL),
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index eb808e40b4..5187501a7c 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -526,6 +526,7 @@ typedef enum {
  *   recognized.
  * @GNUTLS_A_UNKNOWN_PSK_IDENTITY: The SRP/PSK username is missing
  *   or not known.
+ * @GNUTLS_A_CERTIFICATE_REQUIRED: Certificate is required.
  * @GNUTLS_A_NO_APPLICATION_PROTOCOL: The ALPN protocol requested is
  *   not supported by the peer.
  *
@@ -562,6 +563,7 @@ typedef enum {
 	GNUTLS_A_CERTIFICATE_UNOBTAINABLE = 111,
 	GNUTLS_A_UNRECOGNIZED_NAME = 112,
 	GNUTLS_A_UNKNOWN_PSK_IDENTITY = 115,
+	GNUTLS_A_CERTIFICATE_REQUIRED = 116,
 	GNUTLS_A_NO_APPLICATION_PROTOCOL = 120,
 	GNUTLS_A_MAX = GNUTLS_A_NO_APPLICATION_PROTOCOL
 } gnutls_alert_description_t;
@@ -3143,6 +3145,7 @@ void gnutls_fips140_set_mode(gnutls_fips_mode_t mode, unsigned flags);
 #define GNUTLS_E_UNKNOWN_PK_ALGORITHM -80
 #define GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS -81
 #define GNUTLS_E_RECEIVED_DISALLOWED_NAME -82 /* GNUTLS_A_ILLEGAL_PARAMETER */
+#define GNUTLS_E_CERTIFICATE_REQUIRED -112 /* GNUTLS_A_CERTIFICATE_REQUIRED */
 
   /* returned if you need to generate temporary RSA
    * parameters. These are needed for export cipher suites.
diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c
index 2560ca3427..91d0a7fe68 100644
--- a/lib/tls13/certificate.c
+++ b/lib/tls13/certificate.c
@@ -100,8 +100,13 @@ int _gnutls13_recv_certificate(gnutls_session_t session)
 
 	ret = parse_cert_list(session, buf.data, buf.length);
 	if (ret < 0) {
-		if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional)
-			ret = 0;
+		if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) {
+			if (optional)
+				ret = 0;
+			else if (session->security_parameters.entity ==
+				 GNUTLS_SERVER)
+				ret = GNUTLS_E_CERTIFICATE_REQUIRED;
+		}
 		gnutls_assert();
 		goto cleanup;
 	}
diff --git a/tests/cert-status.c b/tests/cert-status.c
index 83606ee920..c9b4dc2ea3 100644
--- a/tests/cert-status.c
+++ b/tests/cert-status.c
@@ -252,11 +252,11 @@ void doit(void)
 
 	start("NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_CERT_IGNORE, 0);
 	start("NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_CERT_REQUEST, 0);
-	start("NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_CERT_REQUIRE, GNUTLS_E_NO_CERTIFICATE_FOUND);
+	start("NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_CERT_REQUIRE, GNUTLS_E_CERTIFICATE_REQUIRED);
 
 	start("NORMAL", GNUTLS_CERT_IGNORE, 0);
 	start("NORMAL", GNUTLS_CERT_REQUEST, 0);
-	start("NORMAL", GNUTLS_CERT_REQUIRE, GNUTLS_E_NO_CERTIFICATE_FOUND);
+	start("NORMAL", GNUTLS_CERT_REQUIRE, GNUTLS_E_CERTIFICATE_REQUIRED);
 }
 
 #endif				/* _WIN32 */
diff --git a/tests/empty_retrieve_function.c b/tests/empty_retrieve_function.c
index 7ea920494c..c12499bc34 100644
--- a/tests/empty_retrieve_function.c
+++ b/tests/empty_retrieve_function.c
@@ -110,17 +110,17 @@ void doit(void)
 
 	gnutls_certificate_allocate_credentials(&clicred);
 	gnutls_certificate_set_retrieve_function(clicred, cert_cb1);
-	_test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1);
+	_test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1);
 	gnutls_certificate_free_credentials(clicred);
 
 	gnutls_certificate_allocate_credentials(&clicred);
 	gnutls_certificate_set_retrieve_function2(clicred, cert_cb2);
-	_test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1);
+	_test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1);
 	gnutls_certificate_free_credentials(clicred);
 
 	gnutls_certificate_allocate_credentials(&clicred);
 	gnutls_certificate_set_retrieve_function3(clicred, cert_cb3);
-	_test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1);
+	_test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1);
 	gnutls_certificate_free_credentials(clicred);
 
 	gnutls_certificate_free_credentials(x509_cred);
diff --git a/tests/null_retrieve_function.c b/tests/null_retrieve_function.c
index f165c8b07b..3e65975326 100644
--- a/tests/null_retrieve_function.c
+++ b/tests/null_retrieve_function.c
@@ -102,19 +102,19 @@ void doit(void)
 	gnutls_certificate_allocate_credentials(&clicred);
 	gnutls_certificate_set_retrieve_function(clicred, cert_cb1);
 	gnutls_certificate_set_retrieve_function(clicred, NULL);
-	_test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1);
+	_test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1);
 	gnutls_certificate_free_credentials(clicred);
 
 	gnutls_certificate_allocate_credentials(&clicred);
 	gnutls_certificate_set_retrieve_function2(clicred, cert_cb2);
 	gnutls_certificate_set_retrieve_function2(clicred, NULL);
-	_test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1);
+	_test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1);
 	gnutls_certificate_free_credentials(clicred);
 
 	gnutls_certificate_allocate_credentials(&clicred);
 	gnutls_certificate_set_retrieve_function3(clicred, cert_cb3);
 	gnutls_certificate_set_retrieve_function3(clicred, NULL);
-	_test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_NO_CERTIFICATE_FOUND, -1);
+	_test_cli_serv(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", NULL, NULL, NULL, 0, 1, GNUTLS_E_CERTIFICATE_REQUIRED, -1);
 	gnutls_certificate_free_credentials(clicred);
 
 	gnutls_certificate_free_credentials(x509_cred);
diff --git a/tests/tls13/post-handshake-with-cert-auto.c b/tests/tls13/post-handshake-with-cert-auto.c
index 9d920da80c..74f7d8898a 100644
--- a/tests/tls13/post-handshake-with-cert-auto.c
+++ b/tests/tls13/post-handshake-with-cert-auto.c
@@ -360,7 +360,7 @@ void start(const char *name, int err, int type, unsigned max_auths, unsigned sen
 void doit(void)
 {
 	start("multi-reauth", 0, GNUTLS_CERT_REQUIRE, MAX_AUTHS, 1);
-	start("reauth-require with no-cert", GNUTLS_E_NO_CERTIFICATE_FOUND, GNUTLS_CERT_REQUIRE, 1, 0);
+	start("reauth-require with no-cert", GNUTLS_E_CERTIFICATE_REQUIRED, GNUTLS_CERT_REQUIRE, 1, 0);
 	start("reauth-request with no-cert", 0, GNUTLS_CERT_REQUEST, 1, 0);
 }
 #endif				/* _WIN32 */
diff --git a/tests/tls13/post-handshake-with-cert.c b/tests/tls13/post-handshake-with-cert.c
index d24e06db70..4875151621 100644
--- a/tests/tls13/post-handshake-with-cert.c
+++ b/tests/tls13/post-handshake-with-cert.c
@@ -377,7 +377,7 @@ void start(const char *name, int err, int type, unsigned max_auths, unsigned sen
 void doit(void)
 {
 	start("multi-reauth", 0, GNUTLS_CERT_REQUIRE, MAX_AUTHS, 1);
-	start("reauth-require with no-cert", GNUTLS_E_NO_CERTIFICATE_FOUND, GNUTLS_CERT_REQUIRE, 1, 0);
+	start("reauth-require with no-cert", GNUTLS_E_CERTIFICATE_REQUIRED, GNUTLS_CERT_REQUIRE, 1, 0);
 	start("reauth-request with no-cert", 0, GNUTLS_CERT_REQUEST, 1, 0);
 }
 #endif				/* _WIN32 */
diff --git a/tests/tls13/post-handshake-with-psk.c b/tests/tls13/post-handshake-with-psk.c
index a85b57ab75..10eb83c940 100644
--- a/tests/tls13/post-handshake-with-psk.c
+++ b/tests/tls13/post-handshake-with-psk.c
@@ -361,7 +361,7 @@ void start(const char *name, int err, int type, unsigned max_auths, unsigned sen
 void doit(void)
 {
 	start("multi-reauth", 0, GNUTLS_CERT_REQUIRE, MAX_AUTHS, 1);
-	start("reauth-require with no-cert", GNUTLS_E_NO_CERTIFICATE_FOUND, GNUTLS_CERT_REQUIRE, 1, 0);
+	start("reauth-require with no-cert", GNUTLS_E_CERTIFICATE_REQUIRED, GNUTLS_CERT_REQUIRE, 1, 0);
 	start("reauth-request with no-cert", 0, GNUTLS_CERT_REQUEST, 1, 0);
 }
 #endif				/* _WIN32 */