handshake: reset cert request state on handshake init

That addresses a bug which on client side on case of an initial
handshake with a client certificate, we continue to send this
certificate even if on rehandshake we were not requested with on.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

5 files changed, 12 insertions, 15 deletions

diff --git a/lib/auth/cert.c b/lib/auth/cert.c
index 1b5e199616..b69aca176d 100644
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -1486,7 +1486,7 @@ _gnutls_proc_cert_cert_req(gnutls_session_t session, uint8_t * data,
 	/* We should reply with a certificate message, 
 	 * even if we have no certificate to send.
 	 */
-	session->key.crt_requested = 1;
+	session->internals.crt_requested = 1;
 
 	/* now we ask the user to tell which one
 	 * he wants to use.
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index 4268903b31..dd773428be 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -2527,6 +2527,7 @@ int gnutls_handshake(gnutls_session_t session)
 		if (session->internals.priorities.protocol.algorithms == 0)
 			return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
 
+		session->internals.crt_requested = 0;
 		session->internals.handshake_in_progress = 1;
 
 		gettime(&session->internals.dtls.handshake_start_time);
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index e32cbfa8ef..7afdabf20e 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -435,15 +435,6 @@ struct gnutls_key_st {
 
 	auth_cred_st *cred;	/* used to specify keys/certificates etc */
 
-	int crt_requested;
-	/* some ciphersuites use this
-	 * to provide client authentication.
-	 * 1 if client auth was requested
-	 * by the peer, 0 otherwise
-	 *** In case of a server this
-	 * holds 1 if we should wait
-	 * for a client certificate verify
-	 */
 };
 typedef struct gnutls_key_st gnutls_key_st;
 
@@ -983,6 +974,11 @@ typedef struct {
 	unsigned int handshake_timeout_ms;	/* timeout in milliseconds */
 	unsigned int record_timeout_ms;	/* timeout in milliseconds */
 
+	unsigned crt_requested; /* 1 if client auth was requested (i.e., client cert).
+	 * In case of a server this holds 1 if we should wait
+	 * for a client certificate verify
+	 */
+
 	gnutls_buffer_st hb_local_data;
 	gnutls_buffer_st hb_remote_data;
 	struct timespec hb_ping_start;	/* timestamp: when first HeartBeat ping was sent */
diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c
index 04e7a69593..814548319c 100644
--- a/lib/gnutls_kx.c
+++ b/lib/gnutls_kx.c
@@ -298,7 +298,7 @@ _gnutls_send_client_certificate_verify(gnutls_session_t session, int again)
 
 	/* if certificate verify is not needed just exit 
 	 */
-	if (session->key.crt_requested == 0)
+	if (session->internals.crt_requested == 0)
 		return 0;
 
 
@@ -344,7 +344,7 @@ int _gnutls_send_client_certificate(gnutls_session_t session, int again)
 	int ret = 0;
 
 
-	if (session->key.crt_requested == 0)
+	if (session->internals.crt_requested == 0)
 		return 0;
 
 	if (session->internals.auth_struct->
@@ -607,7 +607,7 @@ int _gnutls_recv_client_certificate(gnutls_session_t session)
 	if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional != 0)
 		ret = 0;
 	else
-		session->key.crt_requested = 1;
+		session->internals.crt_requested = 1;
 
       cleanup:
 	_gnutls_buffer_clear(&buf);
@@ -661,7 +661,7 @@ _gnutls_recv_client_certificate_verify_message(gnutls_session_t session)
 		return 0;
 
 	if (session->internals.send_cert_req == 0 ||
-	    session->key.crt_requested == 0) {
+	    session->internals.crt_requested == 0) {
 		return 0;
 	}
 
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index 58802c5223..3cfbedeea7 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -557,7 +557,7 @@ int gnutls_certificate_get_peers_subkey_id(gnutls_session_t session,
  **/
 int gnutls_certificate_client_get_request_status(gnutls_session_t session)
 {
-	return session->key.crt_requested;
+	return session->internals.crt_requested;
 }
 
 /**