commit 8273df8383dca8ff23d11ba57d78c13ccd24c3af
author Hanno Becker <hanno.becker@arm.com> Wed Feb 06 17:37:32 2019 +0000
committer Hanno Becker <hanno.becker@arm.com> Tue Feb 26 14:38:09 2019 +0000
tree 5b47efbee1c54890c58868b69d61d4fc5af1c6c8
parent 0329f75a9315644212b4aac7ba6351f80a188acb

Re-classify errors on missing peer CRT

mbedtls_ssl_parse_certificate() will fail if a ciphersuite requires
a certificate, but none is provided. While it is sensible to double-
check this, failure should be reported as an internal error and not
as an unexpected message.

library/ssl_cli.c

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index b564bf6..b0c8b30 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -2292,8 +2292,8 @@
 
     if( ssl->session_negotiate->peer_cert == NULL )
     {
-        MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
-        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+        /* Should never happen */
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
     }
 
     /*
@@ -2404,8 +2404,8 @@
 
     if( ssl->session_negotiate->peer_cert == NULL )
     {
-        MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
-        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+        /* Should never happen */
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
     }
 
     if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
@@ -2744,10 +2744,8 @@
 
         if( ssl->session_negotiate->peer_cert == NULL )
         {
-            MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
-            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
-                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
-            return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+            /* Should never happen */
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
         }
 
         /*