handshake: use hsk_flags in TLS1.2 and TLS1.3

The flags provide a more transparent view of the received
and expected messages.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

8 files changed, 13 insertions, 19 deletions

diff --git a/lib/auth/cert.c b/lib/auth/cert.c
index 7c6b631a1d..6d618a3532 100644
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -977,7 +977,7 @@ _gnutls_proc_cert_cert_req(gnutls_session_t session, uint8_t * data,
 	/* We should reply with a certificate message, 
 	 * even if we have no certificate to send.
 	 */
-	session->internals.crt_requested = 1;
+	session->internals.hsk_flags |= HSK_CRT_ASKED;
 
 	/* now we ask the user to tell which one
 	 * he wants to use.
diff --git a/lib/cert-session.c b/lib/cert-session.c
index 1ba55fa448..e7a529a96a 100644
--- a/lib/cert-session.c
+++ b/lib/cert-session.c
@@ -117,9 +117,10 @@ const gnutls_datum_t *gnutls_certificate_get_peers(gnutls_session_t
  * Returns: 0 if the peer (server) did not request client
  *   authentication or 1 otherwise.
  **/
-int gnutls_certificate_client_get_request_status(gnutls_session_t session)
+unsigned
+gnutls_certificate_client_get_request_status(gnutls_session_t session)
 {
-	return session->internals.crt_requested;
+	return (session->internals.hsk_flags & HSK_CRT_ASKED)?1:0;
 }
 
 /**
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 4a02ddbae1..68ca48dcc3 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -1145,14 +1145,9 @@ typedef struct {
 #define HSK_CRT_REQ_SENT (1<<5)
 #define HSK_CRT_REQ_GOT_SIG_ALGO (1<<6)
 #define HSK_KEY_UPDATE_ASKED (1<<7) /* flag is not used during handshake */
-	unsigned hsk_flags; /* TLS1.3 only */
+	unsigned hsk_flags;
 	time_t last_key_update;
 
-	unsigned crt_requested; /* 1 if client auth was requested (i.e., client cert).
-	 * In case of a server this holds 1 if we should wait
-	 * for a client certificate verify
-	 */
-
 	gnutls_buffer_st hb_local_data;
 	gnutls_buffer_st hb_remote_data;
 	struct timespec hb_ping_start;	/* timestamp: when first HeartBeat ping was sent */
@@ -1168,6 +1163,7 @@ typedef struct {
 
 	recv_state_t recv_state;	/* state of the receive function */
 
+	/* if set, server and client random were set by the application */
 	bool sc_random_set;
 
 	unsigned flags; /* the flags in gnutls_init() */
diff --git a/lib/handshake.c b/lib/handshake.c
index f7c6853416..559e115528 100644
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -2394,7 +2394,7 @@ int gnutls_handshake(gnutls_session_t session)
 			return gnutls_assert_val(ret);
 
 		session->internals.used_exts = 0;
-		session->internals.crt_requested = 0;
+		session->internals.hsk_flags = 0;
 		session->internals.handshake_in_progress = 1;
 		session->internals.vc_status = -1;
 		gettime(&session->internals.handshake_start_time);
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 28703b5dce..71c22d0868 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -2429,7 +2429,7 @@ int gnutls_certificate_get_peers_subkey_id(gnutls_session_t session,
 time_t gnutls_certificate_activation_time_peers(gnutls_session_t session);
 time_t gnutls_certificate_expiration_time_peers(gnutls_session_t session);
 
-int gnutls_certificate_client_get_request_status(gnutls_session_t session);
+unsigned gnutls_certificate_client_get_request_status(gnutls_session_t session);
 int gnutls_certificate_verify_peers2(gnutls_session_t session,
 				     unsigned int *status);
 int gnutls_certificate_verify_peers3(gnutls_session_t session,
diff --git a/lib/kx.c b/lib/kx.c
index b7602a5c67..cf27db98f0 100644
--- a/lib/kx.c
+++ b/lib/kx.c
@@ -341,7 +341,7 @@ _gnutls_send_client_certificate_verify(gnutls_session_t session, int again)
 
 	/* if certificate verify is not needed just exit 
 	 */
-	if (session->internals.crt_requested == 0)
+	if (!(session->internals.hsk_flags & HSK_CRT_ASKED))
 		return 0;
 
 
@@ -387,7 +387,7 @@ int _gnutls_send_client_certificate(gnutls_session_t session, int again)
 	int ret = 0;
 	mbuffer_st *bufel = NULL;
 
-	if (session->internals.crt_requested == 0)
+	if (!(session->internals.hsk_flags & HSK_CRT_ASKED))
 		return 0;
 
 	if (session->internals.auth_struct->
@@ -661,7 +661,7 @@ int _gnutls_recv_client_certificate(gnutls_session_t session)
 	if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional != 0)
 		ret = 0;
 	else
-		session->internals.crt_requested = 1;
+		session->internals.hsk_flags |= HSK_CRT_VRFY_EXPECTED;
 
       cleanup:
 	_gnutls_buffer_clear(&buf);
@@ -715,7 +715,7 @@ _gnutls_recv_client_certificate_verify_message(gnutls_session_t session)
 		return 0;
 
 	if (session->internals.send_cert_req == 0 ||
-	    session->internals.crt_requested == 0) {
+	    (!(session->internals.hsk_flags & HSK_CRT_VRFY_EXPECTED))) {
 		return 0;
 	}
 
diff --git a/lib/state.c b/lib/state.c
index e87d779d03..2b6184de93 100644
--- a/lib/state.c
+++ b/lib/state.c
@@ -223,7 +223,6 @@ static void handshake_internal_state_clear1(gnutls_session_t session)
 	session->internals.cand_ec_group = 0;
 	session->internals.cand_dh_group = 0;
 
-	session->internals.hsk_flags = 0;
 	session->internals.hrr_cs[0] = CS_INVALID_MAJOR;
 	session->internals.hrr_cs[1] = CS_INVALID_MINOR;
 }
diff --git a/lib/tls13/certificate_request.c b/lib/tls13/certificate_request.c
index 42ba3c4055..252762033a 100644
--- a/lib/tls13/certificate_request.c
+++ b/lib/tls13/certificate_request.c
@@ -156,7 +156,7 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, gnutls_buff
 		goto cleanup;
 	}
 
-	session->internals.crt_requested = 1;
+	session->internals.hsk_flags |= HSK_CRT_ASKED;
 
 	ret = _gnutls_select_client_cert(session, ctx.rdn, ctx.rdn_size,
 					 ctx.pk_algos, ctx.pk_algos_length);
@@ -165,8 +165,6 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, gnutls_buff
 		goto cleanup;
 	}
 
-	session->internals.hsk_flags |= HSK_CRT_ASKED;
-
 	ret = 0;
 
  cleanup: