From 8273df8383dca8ff23d11ba57d78c13ccd24c3af Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Feb 2019 17:37:32 +0000 Subject: [PATCH] Re-classify errors on missing peer CRT mbedtls_ssl_parse_certificate() will fail if a ciphersuite requires a certificate, but none is provided. While it is sensible to double- check this, failure should be reported as an internal error and not as an unexpected message. --- library/ssl_cli.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index b564bf6314..b0c8b302e9 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2292,8 +2292,8 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, if( ssl->session_negotiate->peer_cert == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); - return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + /* Should never happen */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } /* @@ -2404,8 +2404,8 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) if( ssl->session_negotiate->peer_cert == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); - return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + /* Should never happen */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, @@ -2744,10 +2744,8 @@ start_processing: if( ssl->session_negotiate->peer_cert == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); - mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); - return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); + /* Should never happen */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } /*