From 2df0a482e21f3cde692a9009c18a5aba34ca23b4 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 21 Mar 2017 09:36:18 +0100 Subject: handshake: reset cert request state on handshake init That addresses a bug which on client side on case of an initial handshake with a client certificate, we continue to send this certificate even if on rehandshake we were not requested with on. Signed-off-by: Nikos Mavrogiannopoulos --- lib/auth/cert.c | 2 +- lib/cert-session.c | 5 +++-- lib/gnutls_int.h | 14 +++++--------- lib/handshake.c | 1 + lib/kx.c | 8 ++++---- 5 files changed, 14 insertions(+), 16 deletions(-) diff --git a/lib/auth/cert.c b/lib/auth/cert.c index eefeb892b9..c3590710e9 100644 --- a/lib/auth/cert.c +++ b/lib/auth/cert.c @@ -1430,7 +1430,7 @@ _gnutls_proc_cert_cert_req(gnutls_session_t session, uint8_t * data, /* We should reply with a certificate message, * even if we have no certificate to send. */ - session->key.crt_requested = 1; + session->internals.crt_requested = 1; /* now we ask the user to tell which one * he wants to use. diff --git a/lib/cert-session.c b/lib/cert-session.c index 19c84e5f1e..a2315389ef 100644 --- a/lib/cert-session.c +++ b/lib/cert-session.c @@ -143,14 +143,15 @@ int gnutls_certificate_get_peers_subkey_id(gnutls_session_t session, * gnutls_certificate_client_get_request_status: * @session: is a gnutls session * - * Get whether client certificate is requested or not. + * Get whether client certificate was requested on the last + * handshake or not. * * Returns: 0 if the peer (server) did not request client * authentication or 1 otherwise. **/ int gnutls_certificate_client_get_request_status(gnutls_session_t session) { - return session->key.crt_requested; + return session->internals.crt_requested; } /** diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 037721c587..2661ceabd2 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -420,15 +420,6 @@ struct gnutls_key_st { auth_cred_st *cred; /* used to specify keys/certificates etc */ - int crt_requested; - /* some ciphersuites use this - * to provide client authentication. - * 1 if client auth was requested - * by the peer, 0 otherwise - *** In case of a server this - * holds 1 if we should wait - * for a client certificate verify - */ }; typedef struct gnutls_key_st gnutls_key_st; @@ -1002,6 +993,11 @@ typedef struct { unsigned int handshake_timeout_ms; /* timeout in milliseconds */ unsigned int record_timeout_ms; /* timeout in milliseconds */ + unsigned crt_requested; /* 1 if client auth was requested (i.e., client cert). + * In case of a server this holds 1 if we should wait + * for a client certificate verify + */ + gnutls_buffer_st hb_local_data; gnutls_buffer_st hb_remote_data; struct timespec hb_ping_start; /* timestamp: when first HeartBeat ping was sent */ diff --git a/lib/handshake.c b/lib/handshake.c index b6c72fd198..308c3224f7 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -2577,6 +2577,7 @@ int gnutls_handshake(gnutls_session_t session) return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); session->internals.extensions_sent_size = 0; + session->internals.crt_requested = 0; session->internals.handshake_in_progress = 1; session->internals.vc_status = -1; gettime(&session->internals.handshake_start_time); diff --git a/lib/kx.c b/lib/kx.c index 18ce07c2f1..ef19563191 100644 --- a/lib/kx.c +++ b/lib/kx.c @@ -348,7 +348,7 @@ _gnutls_send_client_certificate_verify(gnutls_session_t session, int again) /* if certificate verify is not needed just exit */ - if (session->key.crt_requested == 0) + if (session->internals.crt_requested == 0) return 0; @@ -394,7 +394,7 @@ int _gnutls_send_client_certificate(gnutls_session_t session, int again) int ret = 0; - if (session->key.crt_requested == 0) + if (session->internals.crt_requested == 0) return 0; if (session->internals.auth_struct-> @@ -663,7 +663,7 @@ int _gnutls_recv_client_certificate(gnutls_session_t session) if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional != 0) ret = 0; else - session->key.crt_requested = 1; + session->internals.crt_requested = 1; cleanup: _gnutls_buffer_clear(&buf); @@ -717,7 +717,7 @@ _gnutls_recv_client_certificate_verify_message(gnutls_session_t session) return 0; if (session->internals.send_cert_req == 0 || - session->key.crt_requested == 0) { + session->internals.crt_requested == 0) { return 0; } -- cgit v1.2.1