[glib-networking/rufferson/openssl/tests/other: 5/7] Handle Cert-Without-Key condition in openssl/retrieve_certificate

[Michael Catanzaro <mcatanzaro src gnome org>]

commit 01898867ad842dc22fc194ba933eaf9eb6d77e41
Author: Ruslan N. Marchenko <me ruff mobi>
Date:   Sat Jul 4 14:30:13 2020 +0200

    Handle Cert-Without-Key condition in openssl/retrieve_certificate

 tls/openssl/gtlsclientconnection-openssl.c | 16 ++++++++++------
 tls/openssl/gtlsconnection-openssl.c       | 19 ++++++++++++-------
 tls/tests/connection.c                     | 15 +++++----------
 3 files changed, 27 insertions(+), 23 deletions(-)
---
diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c
index aa533b7..83210dd 100644
--- a/tls/openssl/gtlsclientconnection-openssl.c
+++ b/tls/openssl/gtlsclientconnection-openssl.c
@@ -273,17 +273,21 @@ handshake_thread_retrieve_certificate (SSL       *ssl,
       EVP_PKEY *key;
 
       key = g_tls_certificate_openssl_get_key (G_TLS_CERTIFICATE_OPENSSL (cert));
-      /* increase ref count */
+
+      if (key != NULL)
+        {
+          /* increase ref count */
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
-      CRYPTO_add (&key->references, 1, CRYPTO_LOCK_EVP_PKEY);
+          CRYPTO_add (&key->references, 1, CRYPTO_LOCK_EVP_PKEY);
 #else
-      EVP_PKEY_up_ref (key);
+          EVP_PKEY_up_ref (key);
 #endif
-      *pkey = key;
+          *pkey = key;
 
-      *x509 = X509_dup (g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (cert)));
+          *x509 = X509_dup (g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (cert)));
 
-      return 1;
+          return 1;
+        }
     }
 
   g_tls_connection_base_handshake_thread_set_missing_requested_client_certificate (tls);
diff --git a/tls/openssl/gtlsconnection-openssl.c b/tls/openssl/gtlsconnection-openssl.c
index f2c024e..cc405a8 100644
--- a/tls/openssl/gtlsconnection-openssl.c
+++ b/tls/openssl/gtlsconnection-openssl.c
@@ -138,13 +138,18 @@ end_openssl_io (GTlsConnectionOpenssl  *openssl,
 
   if (g_tls_connection_base_is_handshaking (tls) && !g_tls_connection_base_ever_handshaked (tls))
     {
-      if (reason == SSL_R_BAD_PACKET_LENGTH ||
-          reason == SSL_R_UNKNOWN_ALERT_TYPE ||
-          reason == SSL_R_DECRYPTION_FAILED ||
-          reason == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC ||
-          reason == SSL_R_BAD_PROTOCOL_VERSION_NUMBER ||
-          reason == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE ||
-          reason == SSL_R_UNKNOWN_PROTOCOL)
+      if (reason == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE && my_error)
+        {
+          g_propagate_error (error, my_error);
+          return G_TLS_CONNECTION_BASE_ERROR;
+        }
+      else if (reason == SSL_R_BAD_PACKET_LENGTH ||
+               reason == SSL_R_UNKNOWN_ALERT_TYPE ||
+               reason == SSL_R_DECRYPTION_FAILED ||
+               reason == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC ||
+               reason == SSL_R_BAD_PROTOCOL_VERSION_NUMBER ||
+               reason == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE ||
+               reason == SSL_R_UNKNOWN_PROTOCOL)
         {
           g_clear_error (&my_error);
           g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_NOT_TLS,
diff --git a/tls/tests/connection.c b/tls/tests/connection.c
index 0b67534..86cbf55 100644
--- a/tls/tests/connection.c
+++ b/tls/tests/connection.c
@@ -1190,11 +1190,6 @@ test_client_auth_fail_missing_client_private_key (TestConnection *test,
   GIOStream *connection;
   GError *error = NULL;
 
-#ifdef BACKEND_IS_OPENSSL
-  g_test_skip ("this new test does not work with openssl, more research needed");
-  return;
-#endif
-
   g_test_bug ("793712");
 
   test->database = g_tls_file_database_new (tls_test_file_path ("ca-roots.pem"), &error);
@@ -1226,7 +1221,11 @@ test_client_auth_fail_missing_client_private_key (TestConnection *test,
   wait_until_server_finished (test);
 
   g_assert_error (test->read_error, G_TLS_ERROR, G_TLS_ERROR_CERTIFICATE_REQUIRED);
+#if BACKEND_IS_OPENSSL
+  g_assert_error (test->server_error, G_TLS_ERROR, G_TLS_ERROR_CERTIFICATE_REQUIRED);
+#else
   g_assert_error (test->server_error, G_TLS_ERROR, G_TLS_ERROR_NOT_TLS);
+#endif
 }
 
 static void
@@ -1290,11 +1289,6 @@ test_client_auth_request_fail (TestConnection *test,
   GError *error = NULL;
   GTlsInteraction *interaction;
 
-#ifdef BACKEND_IS_OPENSSL
-  g_test_skip ("this new test does not work with openssl, more research needed");
-  return;
-#endif
-
   test->database = g_tls_file_database_new (tls_test_file_path ("ca-roots.pem"), &error);
   g_assert_no_error (error);
   g_assert_nonnull (test->database);
@@ -1331,6 +1325,7 @@ test_client_auth_request_fail (TestConnection *test,
    * as we expect, just not with the desired error.
    */
   if (!g_error_matches (test->read_error, G_TLS_ERROR, G_TLS_ERROR_NOT_TLS) &&
+      !g_error_matches (test->read_error, G_TLS_ERROR, G_TLS_ERROR_CERTIFICATE_REQUIRED) &&
       !g_error_matches (test->read_error, G_TLS_ERROR, G_TLS_ERROR_EOF))
     {
       /* G_FILE_ERROR_ACCES is the error returned by our mock interaction object