diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-06-27 14:38:40 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-07-02 08:39:51 +0000 |
| commit | c0ff5485481e6b035fdf588098e456a3e82be8b7 (patch) | |
| tree | da4f37ce0c9a92f363dbeda30368c51da5985ce2 | |
| parent | 9caad776a796328132963fdd4961ad8e306ec842 (diff) | |
| download | gnutls-c0ff5485481e6b035fdf588098e456a3e82be8b7.tar.gz | |
post-handshake: return GNUTLS_E_GOT_APPLICATION_DATA as documented to
Relates #490
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/record.c | 17 | ||||
| -rw-r--r-- | lib/tls13/post_handshake.c | 3 |
2 files changed, 16 insertions, 4 deletions
diff --git a/lib/record.c b/lib/record.c index ce0ecb672a..ed82db20a5 100644 --- a/lib/record.c +++ b/lib/record.c @@ -838,7 +838,7 @@ record_add_to_buffers(gnutls_session_t session, */ gnutls_assert(); ret = GNUTLS_E_WARNING_ALERT_RECEIVED; - if (ver->tls13_sem || bufel->msg.data[0] == GNUTLS_AL_FATAL) { + if ((ver && ver->tls13_sem) || bufel->msg.data[0] == GNUTLS_AL_FATAL) { session_unresumable(session); session_invalidate(session); ret = @@ -875,8 +875,19 @@ record_add_to_buffers(gnutls_session_t session, goto unexpected_packet; } + /* In TLS1.3 post-handshake authentication allow application + * data error code. */ + if ((ver && ver->tls13_sem) && type == GNUTLS_HANDSHAKE && + htype == GNUTLS_HANDSHAKE_CERTIFICATE_PKT && + session->internals.initial_negotiation_completed) { + _gnutls_record_buffer_put(session, recv->type, + seq, bufel); + return + gnutls_assert_val + (GNUTLS_E_GOT_APPLICATION_DATA); + } - /* the got_application data is only returned + /* The got_application data is only returned * if expecting client hello (for rehandshake * reasons). Otherwise it is an unexpected packet */ @@ -944,7 +955,7 @@ record_add_to_buffers(gnutls_session_t session, } /* retrieve async handshake messages */ - if (ver->tls13_sem) { + if (ver && ver->tls13_sem) { gnutls_buffer_st buf; _gnutls_ro_buffer_from_datum(&buf, &bufel->msg); diff --git a/lib/tls13/post_handshake.c b/lib/tls13/post_handshake.c index ddab66f9a3..c550c198a7 100644 --- a/lib/tls13/post_handshake.c +++ b/lib/tls13/post_handshake.c @@ -214,7 +214,8 @@ int _gnutls13_reauth_server(gnutls_session_t session) * * The former two interrupt the authentication procedure due to the transport * layer being interrupted, and the latter because there were pending data prior - * to peer initiating the re-authentication. + * to peer initiating the re-authentication. The server should read/process that + * data as unauthenticated and retry calling gnutls_reauth(). * * When this function is called under TLS1.2 or earlier or the peer didn't * advertise post-handshake auth, it always fails with |