* Corrected behaviour when a certificate request message is received.

  Now a certificate packet is always sent, and in SSL 3.0 cipher suites
  a no_certificate alert is sent instead.

5 files changed, 87 insertions, 49 deletions

diff --git a/NEWS b/NEWS
index 0d0d819455..b30f4fc776 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,9 @@
+Version 0.9.4
+- Corrected a parsing error in the Certificate request message.
+- Corrected behaviour when a certificate request message is received.
+  Now a certificate packet is always sent, and in SSL 3.0 cipher suites
+  a no_certificate alert is sent instead.
+
 Version 0.9.3 (24/03/2003)
 - Support for MD2 was dropped. 
 - Improved the error logging functions, by adding a level, and
diff --git a/lib/auth_cert.c b/lib/auth_cert.c
index 23138c98ef..7fb8799933 100644
--- a/lib/auth_cert.c
+++ b/lib/auth_cert.c
@@ -429,7 +429,8 @@ int _gnutls_gen_x509_crt(gnutls_session session, opaque ** data)
 	gnutls_privkey *apr_pkey;
 	int apr_cert_list_length;
 
-	/* find the appropriate certificate */
+	/* find the appropriate certificate 
+	 */
 	if ((ret =
 	     _gnutls_find_apr_cert(session, &apr_cert_list,
 				   &apr_cert_list_length,
@@ -1043,8 +1044,10 @@ int _gnutls_proc_cert_cert_req(gnutls_session session, opaque * data,
 	 */
 	session->internals.selected_cert_index = ind;
 
-	if (ind >= 0)
-		session->key->certificate_requested = 1;
+	/* We should reply with a certificate message, 
+	 * even if we have no certificate to send.
+	 */
+	session->key->certificate_requested = 1;
 
 	return 0;
 }
diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c
index 03d8ca63e6..4ff898b12e 100644
--- a/lib/gnutls_buffers.c
+++ b/lib/gnutls_buffers.c
@@ -201,9 +201,7 @@ static ssize_t _gnutls_read( gnutls_session session, void *iptr, size_t sizeOfPt
 	size_t left;
 	ssize_t i=0;
 	char *ptr = iptr;
-#ifdef READ_DEBUG
-	int j,x, sum=0;
-#endif
+	uint j,x, sum=0;
 	gnutls_transport_ptr fd = session->internals.transport_recv_ptr;
 
 	session->internals.direction = 0;
@@ -246,21 +244,29 @@ static ssize_t _gnutls_read( gnutls_session session, void *iptr, size_t sizeOfPt
 	}
 
 	finish:
-	
-#ifdef READ_DEBUG
-	_gnutls_read_log( "READ: read %d bytes from %d\n", (sizeOfPtr-left), fd);
-	for (x=0;x<((sizeOfPtr-left)/16)+1;x++) {
-		_gnutls_read_log( "%.4x - ",x);
-		for (j=0;j<16;j++) {
-			if (sum<(sizeOfPtr-left)) {
-				_gnutls_read_log( "%.2x ", ((unsigned char*)ptr)[sum++]);
+
+	if (_gnutls_log_level >= 7) {
+		char line[128];
+		char tmp[16];
+		
+
+		_gnutls_read_log( "READ: read %d bytes from %d\n", (sizeOfPtr-left), fd);
+		
+		for (x=0;x<((sizeOfPtr-left)/16)+1;x++) {
+			line[0] = 0;
+			
+			sprintf( tmp, "%.4x - ",x);
+			_gnutls_str_cat( line, sizeof(line), tmp);
+
+			for (j=0;j<16;j++) {
+				if (sum<(sizeOfPtr-left)) {
+					sprintf( tmp, "%.2x ", ((unsigned char*)ptr)[sum++]);
+					_gnutls_str_cat( line, sizeof(line), tmp);
+				}
 			}
+			_gnutls_read_log( "%s\n", line);
 		}
-		_gnutls_read_log( "\n");
-	
 	}
-#endif
-
 
 	return (sizeOfPtr - left);
 }
@@ -522,9 +528,7 @@ static int _gnutls_buffer_get( gnutls_buffer * buffer, const opaque ** ptr, size
 ssize_t _gnutls_io_write_buffered( gnutls_session session, const void *iptr, size_t n)
 {
 	size_t left;
-#ifdef WRITE_DEBUG
-	int j,x, sum=0;
-#endif
+	uint j,x, sum=0;
 	ssize_t retval, i;
 	const opaque * ptr;
 	int ret;
@@ -591,23 +595,31 @@ ssize_t _gnutls_io_write_buffered( gnutls_session session, const void *iptr, siz
 		}
 		left -= i;
 
-#ifdef WRITE_DEBUG
-		_gnutls_write_log( "WRITE: wrote %d bytes to %d. Left %d bytes. Total %d bytes.\n", i, fd, left, n);
-		for (x=0;x<((i)/16)+1;x++) {
-			if (sum>n-left)
-				break;
 
-			_gnutls_write_log( "%.4x - ",x);
-			for (j=0;j<16;j++) {
-				if (sum<n-left) {
-					_gnutls_write_log( "%.2x ", ((unsigned char*)ptr)[sum++]);
-				} else break;
+		if (_gnutls_log_level >= 7) {
+			char line[128];
+			char tmp[16];
+			
+
+			_gnutls_write_log( "WRITE: wrote %d bytes to %d. Left %d bytes. Total %d bytes.\n", i, fd, left, n);
+			for (x=0;x<(uint)((i)/16)+1;x++) {
+				line[0] = 0;
+
+				if (sum>n-left)
+					break;
+
+				sprintf( tmp, "%.4x - ",x);
+				_gnutls_str_cat( line, sizeof(line), tmp);
+				
+				for (j=0;j<16;j++) {
+					if (sum<n-left) {
+						sprintf( tmp, "%.2x ", ((unsigned char*)ptr)[sum++]);
+						_gnutls_str_cat( line, sizeof(line), tmp);
+					} else break;
+				}
+				_gnutls_write_log( "%s\n", line);
 			}
-			_gnutls_write_log( "\n");
 		}
-		_gnutls_write_log( "\n");
-#endif
-
 	}
 
 	retval = n + session->internals.record_send_buffer_prev_size;
diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c
index a04e573e96..fad98adea0 100644
--- a/lib/gnutls_global.c
+++ b/lib/gnutls_global.c
@@ -32,7 +32,7 @@ extern const ASN1_ARRAY_TYPE gnutls_asn1_tab[];
 extern const ASN1_ARRAY_TYPE pkix_asn1_tab[];
 
 LOG_FUNC _gnutls_log_func;
-int _gnutls_log_level = 2; /* default log level */
+int _gnutls_log_level = 0; /* default log level */
 
 ASN1_TYPE _gnutls_pkix1_asn;
 ASN1_TYPE _gnutls_gnutls_asn;
@@ -60,10 +60,10 @@ void gnutls_global_set_log_function( gnutls_log_func log_func)
   *
   * This is the function that allows you to set the log level.
   * The level is an integer between 0 and 9. Higher values mean
-  * more verbosity. The default value is 2. Larger values should
+  * more verbosity. The default value is 0. Larger values should
   * only be used with care, since they may reveal sensitive information.
   *
-  * Use the log level '0' to disable logging.
+  * Use a log level over 10 to enable all debugging options.
   *
   **/
 void gnutls_global_set_log_level( int level)
diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c
index 18f06f8129..80a6bf789c 100644
--- a/lib/gnutls_kx.c
+++ b/lib/gnutls_kx.c
@@ -213,9 +213,8 @@ int _gnutls_send_client_certificate_verify( gnutls_session session, int again)
 	
 	/* if certificate verify is not needed just exit 
 	 */
-	if (session->key->certificate_requested==0) {
+	if (session->key->certificate_requested==0)
 		return 0;
-	}
 
 	if (session->internals.auth_struct->gnutls_generate_client_cert_vrfy==NULL) {
 		gnutls_assert();
@@ -350,24 +349,42 @@ int _gnutls_send_client_certificate( gnutls_session session, int again)
 	if (session->key->certificate_requested == 0)
 		return 0;
 
-	if (session->internals.auth_struct->gnutls_generate_client_certificate==NULL) 
+	if (session->internals.auth_struct->gnutls_generate_client_certificate==NULL)
 		return 0;
 
 	data = NULL;
 	data_size = 0;
 
 	if (again == 0) {
-		data_size = session->internals.auth_struct->gnutls_generate_client_certificate( session, &data);
+		if (gnutls_protocol_get_version( session) != GNUTLS_SSL3 ||
+			session->internals.selected_cert_index >= 0) {
+		        /* TLS 1.0 or SSL 3.0 with a valid certificate 
+		         */
+			data_size = session->internals.auth_struct->gnutls_generate_client_certificate( session, &data);
 
-		if (data_size < 0) {
-			gnutls_assert();
-			return data_size;
+			if (data_size < 0) {
+				gnutls_assert();
+				return data_size;
+			}
 		}
 	}
-	ret = _gnutls_send_handshake( session, data, data_size, GNUTLS_CERTIFICATE_PKT);
-	gnutls_free(data);
-	
-	if (ret<0) {
+
+	/* In the SSL 3.0 protocol we need to send a
+	 * no certificate alert instead of an
+	 * empty certificate.
+	 */
+	if (gnutls_protocol_get_version( session) == GNUTLS_SSL3 &&
+		session->internals.selected_cert_index < 0) 
+	{
+		ret = gnutls_alert_send( session, GNUTLS_AL_WARNING, GNUTLS_A_SSL3_NO_CERTIFICATE);
+
+	} else { /* TLS 1.0 or SSL 3.0 with a valid certificate 
+		  */
+		ret = _gnutls_send_handshake( session, data, data_size, GNUTLS_CERTIFICATE_PKT);
+		gnutls_free(data);
+	}
+
+	if (ret < 0) {
 		gnutls_assert();
 		return ret;
 	}