diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-03-24 17:21:54 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2003-03-24 17:21:54 +0000 |
commit | f5669ae6e791277e24019dac60b1f3d83c704d5e (patch) | |
tree | f61caed5d91bccfefcf74698addee100fd09853a | |
parent | 1b962233d3299078f5cc125d76005cf991c0b642 (diff) | |
download | gnutls-f5669ae6e791277e24019dac60b1f3d83c704d5e.tar.gz |
* Corrected behaviour when a certificate request message is received.
Now a certificate packet is always sent, and in SSL 3.0 cipher suites
a no_certificate alert is sent instead.
-rw-r--r-- | NEWS | 6 | ||||
-rw-r--r-- | lib/auth_cert.c | 9 | ||||
-rw-r--r-- | lib/gnutls_buffers.c | 76 | ||||
-rw-r--r-- | lib/gnutls_global.c | 6 | ||||
-rw-r--r-- | lib/gnutls_kx.c | 39 |
5 files changed, 87 insertions, 49 deletions
@@ -1,3 +1,9 @@ +Version 0.9.4 +- Corrected a parsing error in the Certificate request message. +- Corrected behaviour when a certificate request message is received. + Now a certificate packet is always sent, and in SSL 3.0 cipher suites + a no_certificate alert is sent instead. + Version 0.9.3 (24/03/2003) - Support for MD2 was dropped. - Improved the error logging functions, by adding a level, and diff --git a/lib/auth_cert.c b/lib/auth_cert.c index 23138c98ef..7fb8799933 100644 --- a/lib/auth_cert.c +++ b/lib/auth_cert.c @@ -429,7 +429,8 @@ int _gnutls_gen_x509_crt(gnutls_session session, opaque ** data) gnutls_privkey *apr_pkey; int apr_cert_list_length; - /* find the appropriate certificate */ + /* find the appropriate certificate + */ if ((ret = _gnutls_find_apr_cert(session, &apr_cert_list, &apr_cert_list_length, @@ -1043,8 +1044,10 @@ int _gnutls_proc_cert_cert_req(gnutls_session session, opaque * data, */ session->internals.selected_cert_index = ind; - if (ind >= 0) - session->key->certificate_requested = 1; + /* We should reply with a certificate message, + * even if we have no certificate to send. + */ + session->key->certificate_requested = 1; return 0; } diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c index 03d8ca63e6..4ff898b12e 100644 --- a/lib/gnutls_buffers.c +++ b/lib/gnutls_buffers.c @@ -201,9 +201,7 @@ static ssize_t _gnutls_read( gnutls_session session, void *iptr, size_t sizeOfPt size_t left; ssize_t i=0; char *ptr = iptr; -#ifdef READ_DEBUG - int j,x, sum=0; -#endif + uint j,x, sum=0; gnutls_transport_ptr fd = session->internals.transport_recv_ptr; session->internals.direction = 0; @@ -246,21 +244,29 @@ static ssize_t _gnutls_read( gnutls_session session, void *iptr, size_t sizeOfPt } finish: - -#ifdef READ_DEBUG - _gnutls_read_log( "READ: read %d bytes from %d\n", (sizeOfPtr-left), fd); - for (x=0;x<((sizeOfPtr-left)/16)+1;x++) { - _gnutls_read_log( "%.4x - ",x); - for (j=0;j<16;j++) { - if (sum<(sizeOfPtr-left)) { - _gnutls_read_log( "%.2x ", ((unsigned char*)ptr)[sum++]); + + if (_gnutls_log_level >= 7) { + char line[128]; + char tmp[16]; + + + _gnutls_read_log( "READ: read %d bytes from %d\n", (sizeOfPtr-left), fd); + + for (x=0;x<((sizeOfPtr-left)/16)+1;x++) { + line[0] = 0; + + sprintf( tmp, "%.4x - ",x); + _gnutls_str_cat( line, sizeof(line), tmp); + + for (j=0;j<16;j++) { + if (sum<(sizeOfPtr-left)) { + sprintf( tmp, "%.2x ", ((unsigned char*)ptr)[sum++]); + _gnutls_str_cat( line, sizeof(line), tmp); + } } + _gnutls_read_log( "%s\n", line); } - _gnutls_read_log( "\n"); - } -#endif - return (sizeOfPtr - left); } @@ -522,9 +528,7 @@ static int _gnutls_buffer_get( gnutls_buffer * buffer, const opaque ** ptr, size ssize_t _gnutls_io_write_buffered( gnutls_session session, const void *iptr, size_t n) { size_t left; -#ifdef WRITE_DEBUG - int j,x, sum=0; -#endif + uint j,x, sum=0; ssize_t retval, i; const opaque * ptr; int ret; @@ -591,23 +595,31 @@ ssize_t _gnutls_io_write_buffered( gnutls_session session, const void *iptr, siz } left -= i; -#ifdef WRITE_DEBUG - _gnutls_write_log( "WRITE: wrote %d bytes to %d. Left %d bytes. Total %d bytes.\n", i, fd, left, n); - for (x=0;x<((i)/16)+1;x++) { - if (sum>n-left) - break; - _gnutls_write_log( "%.4x - ",x); - for (j=0;j<16;j++) { - if (sum<n-left) { - _gnutls_write_log( "%.2x ", ((unsigned char*)ptr)[sum++]); - } else break; + if (_gnutls_log_level >= 7) { + char line[128]; + char tmp[16]; + + + _gnutls_write_log( "WRITE: wrote %d bytes to %d. Left %d bytes. Total %d bytes.\n", i, fd, left, n); + for (x=0;x<(uint)((i)/16)+1;x++) { + line[0] = 0; + + if (sum>n-left) + break; + + sprintf( tmp, "%.4x - ",x); + _gnutls_str_cat( line, sizeof(line), tmp); + + for (j=0;j<16;j++) { + if (sum<n-left) { + sprintf( tmp, "%.2x ", ((unsigned char*)ptr)[sum++]); + _gnutls_str_cat( line, sizeof(line), tmp); + } else break; + } + _gnutls_write_log( "%s\n", line); } - _gnutls_write_log( "\n"); } - _gnutls_write_log( "\n"); -#endif - } retval = n + session->internals.record_send_buffer_prev_size; diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c index a04e573e96..fad98adea0 100644 --- a/lib/gnutls_global.c +++ b/lib/gnutls_global.c @@ -32,7 +32,7 @@ extern const ASN1_ARRAY_TYPE gnutls_asn1_tab[]; extern const ASN1_ARRAY_TYPE pkix_asn1_tab[]; LOG_FUNC _gnutls_log_func; -int _gnutls_log_level = 2; /* default log level */ +int _gnutls_log_level = 0; /* default log level */ ASN1_TYPE _gnutls_pkix1_asn; ASN1_TYPE _gnutls_gnutls_asn; @@ -60,10 +60,10 @@ void gnutls_global_set_log_function( gnutls_log_func log_func) * * This is the function that allows you to set the log level. * The level is an integer between 0 and 9. Higher values mean - * more verbosity. The default value is 2. Larger values should + * more verbosity. The default value is 0. Larger values should * only be used with care, since they may reveal sensitive information. * - * Use the log level '0' to disable logging. + * Use a log level over 10 to enable all debugging options. * **/ void gnutls_global_set_log_level( int level) diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c index 18f06f8129..80a6bf789c 100644 --- a/lib/gnutls_kx.c +++ b/lib/gnutls_kx.c @@ -213,9 +213,8 @@ int _gnutls_send_client_certificate_verify( gnutls_session session, int again) /* if certificate verify is not needed just exit */ - if (session->key->certificate_requested==0) { + if (session->key->certificate_requested==0) return 0; - } if (session->internals.auth_struct->gnutls_generate_client_cert_vrfy==NULL) { gnutls_assert(); @@ -350,24 +349,42 @@ int _gnutls_send_client_certificate( gnutls_session session, int again) if (session->key->certificate_requested == 0) return 0; - if (session->internals.auth_struct->gnutls_generate_client_certificate==NULL) + if (session->internals.auth_struct->gnutls_generate_client_certificate==NULL) return 0; data = NULL; data_size = 0; if (again == 0) { - data_size = session->internals.auth_struct->gnutls_generate_client_certificate( session, &data); + if (gnutls_protocol_get_version( session) != GNUTLS_SSL3 || + session->internals.selected_cert_index >= 0) { + /* TLS 1.0 or SSL 3.0 with a valid certificate + */ + data_size = session->internals.auth_struct->gnutls_generate_client_certificate( session, &data); - if (data_size < 0) { - gnutls_assert(); - return data_size; + if (data_size < 0) { + gnutls_assert(); + return data_size; + } } } - ret = _gnutls_send_handshake( session, data, data_size, GNUTLS_CERTIFICATE_PKT); - gnutls_free(data); - - if (ret<0) { + + /* In the SSL 3.0 protocol we need to send a + * no certificate alert instead of an + * empty certificate. + */ + if (gnutls_protocol_get_version( session) == GNUTLS_SSL3 && + session->internals.selected_cert_index < 0) + { + ret = gnutls_alert_send( session, GNUTLS_AL_WARNING, GNUTLS_A_SSL3_NO_CERTIFICATE); + + } else { /* TLS 1.0 or SSL 3.0 with a valid certificate + */ + ret = _gnutls_send_handshake( session, data, data_size, GNUTLS_CERTIFICATE_PKT); + gnutls_free(data); + } + + if (ret < 0) { gnutls_assert(); return ret; } |