diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-21 09:36:18 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-21 12:11:19 +0100 |
| commit | 47ba3b7b0f60ed0796250178d6cb847d8907c9c6 (patch) | |
| tree | e5df81dbeaef6feb0511b543c0c35e036eb193fa | |
| parent | 80253f81c86383cc14ff092550bce35eccd40b89 (diff) | |
| download | gnutls-47ba3b7b0f60ed0796250178d6cb847d8907c9c6.tar.gz | |
handshake: reset cert request state on handshake init
That addresses a bug which on client side on case of an initial
handshake with a client certificate, we continue to send this
certificate even if on rehandshake we were not requested with on.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/auth/cert.c | 2 | ||||
| -rw-r--r-- | lib/cert-session.c | 5 | ||||
| -rw-r--r-- | lib/gnutls_int.h | 14 | ||||
| -rw-r--r-- | lib/handshake.c | 1 | ||||
| -rw-r--r-- | lib/kx.c | 8 |
5 files changed, 14 insertions, 16 deletions
diff --git a/lib/auth/cert.c b/lib/auth/cert.c index e8bb1a662a..653240b915 100644 --- a/lib/auth/cert.c +++ b/lib/auth/cert.c @@ -1431,7 +1431,7 @@ _gnutls_proc_cert_cert_req(gnutls_session_t session, uint8_t * data, /* We should reply with a certificate message, * even if we have no certificate to send. */ - session->key.crt_requested = 1; + session->internals.crt_requested = 1; /* now we ask the user to tell which one * he wants to use. diff --git a/lib/cert-session.c b/lib/cert-session.c index 19c84e5f1e..a2315389ef 100644 --- a/lib/cert-session.c +++ b/lib/cert-session.c @@ -143,14 +143,15 @@ int gnutls_certificate_get_peers_subkey_id(gnutls_session_t session, * gnutls_certificate_client_get_request_status: * @session: is a gnutls session * - * Get whether client certificate is requested or not. + * Get whether client certificate was requested on the last + * handshake or not. * * Returns: 0 if the peer (server) did not request client * authentication or 1 otherwise. **/ int gnutls_certificate_client_get_request_status(gnutls_session_t session) { - return session->key.crt_requested; + return session->internals.crt_requested; } /** diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 4132c01680..f8b27612e4 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -420,15 +420,6 @@ struct gnutls_key_st { auth_cred_st *cred; /* used to specify keys/certificates etc */ - int crt_requested; - /* some ciphersuites use this - * to provide client authentication. - * 1 if client auth was requested - * by the peer, 0 otherwise - *** In case of a server this - * holds 1 if we should wait - * for a client certificate verify - */ }; typedef struct gnutls_key_st gnutls_key_st; @@ -1003,6 +994,11 @@ typedef struct { unsigned int handshake_timeout_ms; /* timeout in milliseconds */ unsigned int record_timeout_ms; /* timeout in milliseconds */ + unsigned crt_requested; /* 1 if client auth was requested (i.e., client cert). + * In case of a server this holds 1 if we should wait + * for a client certificate verify + */ + gnutls_buffer_st hb_local_data; gnutls_buffer_st hb_remote_data; struct timespec hb_ping_start; /* timestamp: when first HeartBeat ping was sent */ diff --git a/lib/handshake.c b/lib/handshake.c index 4150d33b43..0275993b96 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -2546,6 +2546,7 @@ int gnutls_handshake(gnutls_session_t session) return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); session->internals.extensions_sent_size = 0; + session->internals.crt_requested = 0; session->internals.handshake_in_progress = 1; session->internals.vc_status = -1; gettime(&session->internals.handshake_start_time); @@ -348,7 +348,7 @@ _gnutls_send_client_certificate_verify(gnutls_session_t session, int again) /* if certificate verify is not needed just exit */ - if (session->key.crt_requested == 0) + if (session->internals.crt_requested == 0) return 0; @@ -394,7 +394,7 @@ int _gnutls_send_client_certificate(gnutls_session_t session, int again) int ret = 0; - if (session->key.crt_requested == 0) + if (session->internals.crt_requested == 0) return 0; if (session->internals.auth_struct-> @@ -663,7 +663,7 @@ int _gnutls_recv_client_certificate(gnutls_session_t session) if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional != 0) ret = 0; else - session->key.crt_requested = 1; + session->internals.crt_requested = 1; cleanup: _gnutls_buffer_clear(&buf); @@ -717,7 +717,7 @@ _gnutls_recv_client_certificate_verify_message(gnutls_session_t session) return 0; if (session->internals.send_cert_req == 0 || - session->key.crt_requested == 0) { + session->internals.crt_requested == 0) { return 0; } |