diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-21 09:36:18 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-21 12:33:15 +0100 |
commit | 798f29647c294bee22fc4fe4920929feadc047d5 (patch) | |
tree | dd4557bed5613b7303c905bc7004a7e5b308b7aa | |
parent | d2b121587f55482e5ad198067a00bc7a672260c2 (diff) | |
download | gnutls-798f29647c294bee22fc4fe4920929feadc047d5.tar.gz |
handshake: reset cert request state on handshake init
That addresses a bug which on client side on case of an initial
handshake with a client certificate, we continue to send this
certificate even if on rehandshake we were not requested with on.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/auth/cert.c | 2 | ||||
-rw-r--r-- | lib/gnutls_handshake.c | 1 | ||||
-rw-r--r-- | lib/gnutls_int.h | 14 | ||||
-rw-r--r-- | lib/gnutls_kx.c | 8 | ||||
-rw-r--r-- | lib/gnutls_ui.c | 2 |
5 files changed, 12 insertions, 15 deletions
diff --git a/lib/auth/cert.c b/lib/auth/cert.c index 1b5e199616..b69aca176d 100644 --- a/lib/auth/cert.c +++ b/lib/auth/cert.c @@ -1486,7 +1486,7 @@ _gnutls_proc_cert_cert_req(gnutls_session_t session, uint8_t * data, /* We should reply with a certificate message, * even if we have no certificate to send. */ - session->key.crt_requested = 1; + session->internals.crt_requested = 1; /* now we ask the user to tell which one * he wants to use. diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 4268903b31..dd773428be 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -2527,6 +2527,7 @@ int gnutls_handshake(gnutls_session_t session) if (session->internals.priorities.protocol.algorithms == 0) return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET); + session->internals.crt_requested = 0; session->internals.handshake_in_progress = 1; gettime(&session->internals.dtls.handshake_start_time); diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index e32cbfa8ef..7afdabf20e 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -435,15 +435,6 @@ struct gnutls_key_st { auth_cred_st *cred; /* used to specify keys/certificates etc */ - int crt_requested; - /* some ciphersuites use this - * to provide client authentication. - * 1 if client auth was requested - * by the peer, 0 otherwise - *** In case of a server this - * holds 1 if we should wait - * for a client certificate verify - */ }; typedef struct gnutls_key_st gnutls_key_st; @@ -983,6 +974,11 @@ typedef struct { unsigned int handshake_timeout_ms; /* timeout in milliseconds */ unsigned int record_timeout_ms; /* timeout in milliseconds */ + unsigned crt_requested; /* 1 if client auth was requested (i.e., client cert). + * In case of a server this holds 1 if we should wait + * for a client certificate verify + */ + gnutls_buffer_st hb_local_data; gnutls_buffer_st hb_remote_data; struct timespec hb_ping_start; /* timestamp: when first HeartBeat ping was sent */ diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c index 04e7a69593..814548319c 100644 --- a/lib/gnutls_kx.c +++ b/lib/gnutls_kx.c @@ -298,7 +298,7 @@ _gnutls_send_client_certificate_verify(gnutls_session_t session, int again) /* if certificate verify is not needed just exit */ - if (session->key.crt_requested == 0) + if (session->internals.crt_requested == 0) return 0; @@ -344,7 +344,7 @@ int _gnutls_send_client_certificate(gnutls_session_t session, int again) int ret = 0; - if (session->key.crt_requested == 0) + if (session->internals.crt_requested == 0) return 0; if (session->internals.auth_struct-> @@ -607,7 +607,7 @@ int _gnutls_recv_client_certificate(gnutls_session_t session) if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional != 0) ret = 0; else - session->key.crt_requested = 1; + session->internals.crt_requested = 1; cleanup: _gnutls_buffer_clear(&buf); @@ -661,7 +661,7 @@ _gnutls_recv_client_certificate_verify_message(gnutls_session_t session) return 0; if (session->internals.send_cert_req == 0 || - session->key.crt_requested == 0) { + session->internals.crt_requested == 0) { return 0; } diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index 58802c5223..3cfbedeea7 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -557,7 +557,7 @@ int gnutls_certificate_get_peers_subkey_id(gnutls_session_t session, **/ int gnutls_certificate_client_get_request_status(gnutls_session_t session) { - return session->key.crt_requested; + return session->internals.crt_requested; } /** |