summaryrefslogtreecommitdiff
path: root/libextra
diff options
context:
space:
mode:
authorSimon Josefsson <simon@josefsson.org>2006-05-05 09:07:17 +0000
committerSimon Josefsson <simon@josefsson.org>2006-05-05 09:07:17 +0000
commitf9f46ac68653694d3e4675f4be22fdb6baa6d5a6 (patch)
treeba2692cfead6551b78c74e2089525cc9c6f4abe0 /libextra
parenta30536bec8e4ff37cf89ea187ac9e86d4992d6f5 (diff)
downloadgnutls-f9f46ac68653694d3e4675f4be22fdb6baa6d5a6.tar.gz
TLS/IA fixes from Emile.
Diffstat (limited to 'libextra')
-rw-r--r--libextra/gnutls_ia.c79
1 files changed, 44 insertions, 35 deletions
diff --git a/libextra/gnutls_ia.c b/libextra/gnutls_ia.c
index adf821a882..a98c65fd98 100644
--- a/libextra/gnutls_ia.c
+++ b/libextra/gnutls_ia.c
@@ -383,7 +383,9 @@ gnutls_ia_verify_endphase (gnutls_session_t session, const char *checksum)
*
* To finish an application phase in the server, use
* gnutls_ia_endphase_send(). The client cannot end an application
- * phase.
+ * phase unilaterally; rather, a client is required to respond with
+ * an endphase of its own if gnutls_ia_recv indicates that the server
+ * has sent one.
*
* If the EINTR is returned by the internal push function (the default
* is send()} then %GNUTLS_E_INTERRUPTED will be returned. If
@@ -418,7 +420,8 @@ gnutls_ia_send (gnutls_session_t session, const char *data, size_t sizeofdata)
* If the server attempt to finish an application phase, this function
* will return %GNUTLS_E_WARNING_IA_IPHF_RECEIVED or
* %GNUTLS_E_WARNING_IA_FPHF_RECEIVED. The caller should then invoke
- * gnutls_ia_verify_endphase().
+ * gnutls_ia_verify_endphase(), and if it runs the client side, also
+ * send an endphase message of its own using gnutls_ia_endphase_send.
*
* If EINTR is returned by the internal push function (the default is
* @code{recv()}) then GNUTLS_E_INTERRUPTED will be returned. If
@@ -607,23 +610,23 @@ gnutls_ia_handshake_p (gnutls_session_t session)
{
tls_ext_st *ext = &session->security_parameters.extensions;
- /* The other side didn't advertise TLS/IA. */
- if (ext->peer_mode == GNUTLS_IA_DISABLED)
- return 0;
+ /* Either local side or peer doesn't do TLS/IA: don't do IA */
- /* We don't consider the inner phase optional. */
- if (!ext->inner_phase_optional)
- return 1;
+ if (!ext->gnutls_ia_enable || !ext->gnutls_ia_peer_enable)
+ return 0;
- /* This is not a resumed session. always require an inner
- application. */
- if (!gnutls_session_is_resumed (session))
- return 1;
+ /* Not resuming or we don't allow skipping on resumption locally: do IA */
- /* Require an inner phase if the other end requested it. */
- return ext->peer_mode == GNUTLS_IA_APP_PHASE_ON_RESUMPTION_YES;
+ if (!ext->gnutls_ia_allowskip || !gnutls_session_is_resumed (session))
+ return 1;
+
+ /* If we're resuming and we and the peer both allow skipping on resumption:
+ * don't do IA */
+
+ return !ext->gnutls_ia_peer_allowskip;
}
+
/**
* gnutls_ia_handshake:
* @session: is a #gnutls_session_t structure.
@@ -872,29 +875,35 @@ gnutls_ia_get_server_avp_ptr (gnutls_ia_server_credentials_t cred)
}
/**
- * gnutls_ia_require_inner_phase - Set if a TLS/IA inner phase is required
+ * gnutls_ia_enable - Call this to indicate the application's willingness
+ * to execute one or more TLS/IA application phases
+ * in the handshake.
* @session: is a #gnutls_session_t structure.
- * @require: non-zero if an inner application phase should be required.
- *
- * Specify whether a TLS/IA Inner Application Phase will be required
- * or not. If the TLS session is resumed, it is possibly to optimize
- * away the inner application phase by calling this function and
- * specify a zero value for @require.
- *
- * For this function to have any effect, it must be called before
- * gnutls_handshake().
- *
- * Whether to invoke the TLS/IA handshake will also depend on whether
- * the client supports or requested TLS/IA. A server should thus use
- * gnutls_ia_handshake_p() to decide whether to call
- * gnutls_ia_handshake() or not.
+ * @allow_skip_on_resume: non-zero if local party allows to skip the
+ * TLS/IA application phases for a resumed session.
+ *
+ * Specify whether we must advertise support for the TLS/IA extension
+ * during the handshake.
+ *
+ * At the client side, we always advertise TLS/IA if gnutls_ia_enable was
+ * called before the handshake; at the server side, we also require that
+ * the client has advertised that it wants to run TLS/IA before including
+ * the advertisement, as required by the protocol.
+ *
+ * Similarly, at the client side we always advertise that we allow TLS/IA to be
+ * skipped for resumed sessions if @allow_skip_on_resume is non-zero; at the
+ * server side, we also require that the session is indeed resumable and that
+ * the client has also advertised that it allows TLS/IA to be skipped for
+ * resumed sessions.
+ *
+ * After the TLS handshake, call gnutls_ia_handshake_p() to find out
+ * whether both parties agreed to do a TLS/IA handshake, before calling
+ * gnutls_ia_handshake() or one of the lower level gnutls_ia_* functions.
**/
void
-gnutls_ia_require_inner_phase (gnutls_session_t session, int require)
+gnutls_ia_enable (gnutls_session_t session, int allow_skip_on_resume)
{
- /* XXX. This function should ideally take a TLS/IA credential, but
- we can't do that, since we don't want the LGPL'd
- lib/ext_inner_applicaiton.c to call/inspect GPL'd
- functions/structures. */
- session->security_parameters.extensions.inner_phase_optional = !require;
+ session->security_parameters.extensions.gnutls_ia_enable = 1;
+ session->security_parameters.extensions.gnutls_ia_allowskip =
+ allow_skip_on_resume;
}