diff options
author | Simon Josefsson <simon@josefsson.org> | 2006-05-05 09:07:17 +0000 |
---|---|---|
committer | Simon Josefsson <simon@josefsson.org> | 2006-05-05 09:07:17 +0000 |
commit | f9f46ac68653694d3e4675f4be22fdb6baa6d5a6 (patch) | |
tree | ba2692cfead6551b78c74e2089525cc9c6f4abe0 /libextra | |
parent | a30536bec8e4ff37cf89ea187ac9e86d4992d6f5 (diff) | |
download | gnutls-f9f46ac68653694d3e4675f4be22fdb6baa6d5a6.tar.gz |
TLS/IA fixes from Emile.
Diffstat (limited to 'libextra')
-rw-r--r-- | libextra/gnutls_ia.c | 79 |
1 files changed, 44 insertions, 35 deletions
diff --git a/libextra/gnutls_ia.c b/libextra/gnutls_ia.c index adf821a882..a98c65fd98 100644 --- a/libextra/gnutls_ia.c +++ b/libextra/gnutls_ia.c @@ -383,7 +383,9 @@ gnutls_ia_verify_endphase (gnutls_session_t session, const char *checksum) * * To finish an application phase in the server, use * gnutls_ia_endphase_send(). The client cannot end an application - * phase. + * phase unilaterally; rather, a client is required to respond with + * an endphase of its own if gnutls_ia_recv indicates that the server + * has sent one. * * If the EINTR is returned by the internal push function (the default * is send()} then %GNUTLS_E_INTERRUPTED will be returned. If @@ -418,7 +420,8 @@ gnutls_ia_send (gnutls_session_t session, const char *data, size_t sizeofdata) * If the server attempt to finish an application phase, this function * will return %GNUTLS_E_WARNING_IA_IPHF_RECEIVED or * %GNUTLS_E_WARNING_IA_FPHF_RECEIVED. The caller should then invoke - * gnutls_ia_verify_endphase(). + * gnutls_ia_verify_endphase(), and if it runs the client side, also + * send an endphase message of its own using gnutls_ia_endphase_send. * * If EINTR is returned by the internal push function (the default is * @code{recv()}) then GNUTLS_E_INTERRUPTED will be returned. If @@ -607,23 +610,23 @@ gnutls_ia_handshake_p (gnutls_session_t session) { tls_ext_st *ext = &session->security_parameters.extensions; - /* The other side didn't advertise TLS/IA. */ - if (ext->peer_mode == GNUTLS_IA_DISABLED) - return 0; + /* Either local side or peer doesn't do TLS/IA: don't do IA */ - /* We don't consider the inner phase optional. */ - if (!ext->inner_phase_optional) - return 1; + if (!ext->gnutls_ia_enable || !ext->gnutls_ia_peer_enable) + return 0; - /* This is not a resumed session. always require an inner - application. */ - if (!gnutls_session_is_resumed (session)) - return 1; + /* Not resuming or we don't allow skipping on resumption locally: do IA */ - /* Require an inner phase if the other end requested it. */ - return ext->peer_mode == GNUTLS_IA_APP_PHASE_ON_RESUMPTION_YES; + if (!ext->gnutls_ia_allowskip || !gnutls_session_is_resumed (session)) + return 1; + + /* If we're resuming and we and the peer both allow skipping on resumption: + * don't do IA */ + + return !ext->gnutls_ia_peer_allowskip; } + /** * gnutls_ia_handshake: * @session: is a #gnutls_session_t structure. @@ -872,29 +875,35 @@ gnutls_ia_get_server_avp_ptr (gnutls_ia_server_credentials_t cred) } /** - * gnutls_ia_require_inner_phase - Set if a TLS/IA inner phase is required + * gnutls_ia_enable - Call this to indicate the application's willingness + * to execute one or more TLS/IA application phases + * in the handshake. * @session: is a #gnutls_session_t structure. - * @require: non-zero if an inner application phase should be required. - * - * Specify whether a TLS/IA Inner Application Phase will be required - * or not. If the TLS session is resumed, it is possibly to optimize - * away the inner application phase by calling this function and - * specify a zero value for @require. - * - * For this function to have any effect, it must be called before - * gnutls_handshake(). - * - * Whether to invoke the TLS/IA handshake will also depend on whether - * the client supports or requested TLS/IA. A server should thus use - * gnutls_ia_handshake_p() to decide whether to call - * gnutls_ia_handshake() or not. + * @allow_skip_on_resume: non-zero if local party allows to skip the + * TLS/IA application phases for a resumed session. + * + * Specify whether we must advertise support for the TLS/IA extension + * during the handshake. + * + * At the client side, we always advertise TLS/IA if gnutls_ia_enable was + * called before the handshake; at the server side, we also require that + * the client has advertised that it wants to run TLS/IA before including + * the advertisement, as required by the protocol. + * + * Similarly, at the client side we always advertise that we allow TLS/IA to be + * skipped for resumed sessions if @allow_skip_on_resume is non-zero; at the + * server side, we also require that the session is indeed resumable and that + * the client has also advertised that it allows TLS/IA to be skipped for + * resumed sessions. + * + * After the TLS handshake, call gnutls_ia_handshake_p() to find out + * whether both parties agreed to do a TLS/IA handshake, before calling + * gnutls_ia_handshake() or one of the lower level gnutls_ia_* functions. **/ void -gnutls_ia_require_inner_phase (gnutls_session_t session, int require) +gnutls_ia_enable (gnutls_session_t session, int allow_skip_on_resume) { - /* XXX. This function should ideally take a TLS/IA credential, but - we can't do that, since we don't want the LGPL'd - lib/ext_inner_applicaiton.c to call/inspect GPL'd - functions/structures. */ - session->security_parameters.extensions.inner_phase_optional = !require; + session->security_parameters.extensions.gnutls_ia_enable = 1; + session->security_parameters.extensions.gnutls_ia_allowskip = + allow_skip_on_resume; } |