Merge branch 'tmp-fix-certificate-type' into 'master'

gnutls_certificate_type_get*: ensure that the default type is returned See merge request gnutls/gnutls!806
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2018-11-19 12:55:41 +0000
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2018-11-19 12:55:41 +0000
commit: be2e60ae70b0fac7e43dea5faee2a80f58a758f7 (patch)
tree: 259243ad1f0bb8f31462bb93b8e343bdf2888c94
parent: 639d1df7e4e249559b4a20b9eaad57a93b2ecdce (diff)
parent: 05a6f8c9466f3138043c49e8da18d8ac097dc155 (diff)
download: gnutls-be2e60ae70b0fac7e43dea5faee2a80f58a758f7.tar.gz
6 files changed, 50 insertions, 32 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index c5a02c61a6..dc0f40d0a1 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -63,8 +63,9 @@ case by case basis.
 
 # Indentation style:
 
- In general, use the Linux kernel coding style.  You may indent the source
-using GNU indent, e.g. "indent -linux *.c".
+ In general, use [the Linux kernel coding style](https://www.kernel.org/doc/html/latest/process/coding-style.html).
+You may indent the source using GNU indent, e.g. "indent -linux *.c".
+
 
 
 # Function names:
diff --git a/lib/session_pack.c b/lib/session_pack.c
index 1869f7740b..eec594e38e 100644
--- a/lib/session_pack.c
+++ b/lib/session_pack.c
@@ -905,14 +905,14 @@ pack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps)
 
 	BUFFER_APPEND_NUM(ps, session->security_parameters.pversion->id);
 
+	BUFFER_APPEND_NUM(ps, session->security_parameters.client_ctype);
+	BUFFER_APPEND_NUM(ps, session->security_parameters.server_ctype);
+
 	/* if we are under TLS 1.3 do not pack keys or params negotiated using an extension
 	 * they are not necessary */
 	if (!session->security_parameters.pversion->tls13_sem) {
 		BUFFER_APPEND(ps, session->security_parameters.cs->id, 2);
 
-		BUFFER_APPEND_NUM(ps, session->security_parameters.client_ctype);
-		BUFFER_APPEND_NUM(ps, session->security_parameters.server_ctype);
-
 		BUFFER_APPEND_PFX1(ps, session->security_parameters.master_secret,
 			      GNUTLS_MASTER_SIZE);
 		BUFFER_APPEND_PFX1(ps, session->security_parameters.client_random,
@@ -1005,19 +1005,19 @@ unpack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps)
 	    NULL)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
+	BUFFER_POP_NUM(ps,
+		       session->internals.resumed_security_parameters.
+		       client_ctype);
+	BUFFER_POP_NUM(ps,
+		       session->internals.resumed_security_parameters.
+		       server_ctype);
+
 	if (!session->internals.resumed_security_parameters.pversion->tls13_sem) {
 		BUFFER_POP(ps, cs, 2);
 		session->internals.resumed_security_parameters.cs = ciphersuite_to_entry(cs);
 		if (session->internals.resumed_security_parameters.cs == NULL)
 			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
-		BUFFER_POP_NUM(ps,
-				session->internals.resumed_security_parameters.
-				client_ctype);
-		BUFFER_POP_NUM(ps,
-				session->internals.resumed_security_parameters.
-				server_ctype);
-
 		/* master secret */
 		ret = _gnutls_buffer_pop_datum_prefix8(ps, &t);
 		if (ret < 0) {
diff --git a/lib/state.c b/lib/state.c
index 7e6354f9fe..98c6bb56f9 100644
--- a/lib/state.c
+++ b/lib/state.c
@@ -89,11 +89,16 @@ gnutls_cipher_algorithm_t gnutls_cipher_get(gnutls_session_t session)
  * gnutls_certificate_type_get:
  * @session: is a #gnutls_session_t type.
  *
- * The certificate type is by default X.509, unless it is negotiated
- * as a TLS extension.
+ * This function returns the type of the certificate that is negotiated
+ * for this side to send to the peer. The certificate type is by default
+ * X.509, unless an alternative certificate type is enabled by
+ * gnutls_init() and negotiated during the session.
+ *
+ * Resumed sessions will return the certificate type that was negotiated
+ * and used in the original session.
  *
  * As of version 3.6.4 it is recommended to use
- * gnutls_certificate_type_get2().
+ * gnutls_certificate_type_get2() which is more fine-grained.
  *
  * Returns: the currently used #gnutls_certificate_type_t certificate
  *   type as negotiated for 'our' side of the connection.
@@ -109,20 +114,22 @@ gnutls_certificate_type_get(gnutls_session_t session)
  * @session: is a #gnutls_session_t type.
  * @target: is a #gnutls_ctype_target_t type.
  *
- * The raw public-key extension (RFC7250) introduces a mechanism
- * to specifcy different certificate types for the client and server. We
- * therefore distinguish between negotiated certificate types for the
- * client and server. The @target parameter specifies whether you want
- * the negotiated certificate type for the client (GNUTLS_CTYPE_CLIENT)
- * or for the server (GNUTLS_CTYPE_SERVER). Additionally, in P2P mode
+ * This function returns the type of the certificate that a side
+ * is negotiated to use.  The certificate type is by default X.509,
+ * unless an alternative certificate type is enabled by gnutls_init() and
+ * negotiated during the session.
+ *
+ * The @target parameter specifies whether to request the negotiated
+ * certificate type for the client (%GNUTLS_CTYPE_CLIENT),
+ * or for the server (%GNUTLS_CTYPE_SERVER). Additionally, in P2P mode
  * connection set up where you don't know in advance who will be client
- * and who will be server you can use the flag (GNUTLS_CTYPE_OURS) and
- * (GNUTLS_CTYPE_PEERS) to retrieve the corresponding certificate types.
+ * and who will be server you can use the flag (%GNUTLS_CTYPE_OURS) and
+ * (%GNUTLS_CTYPE_PEERS) to retrieve the corresponding certificate types.
  *
- * In case no certificate types were explicitly set via the priority
- * strings to be negotiated during the handshake, then this function
- * will return the default certificate type (X.509) for both the
- * client and the server.
+ * Resumed sessions will return the certificate type that was negotiated
+ * and used in the original session. That is, this function can be used
+ * to reliably determine the type of the certificate returned by
+ * gnutls_certificate_get_peers().
  *
  * Returns: the currently used #gnutls_certificate_type_t certificate
  *   type for the client or the server.
@@ -131,7 +138,7 @@ gnutls_certificate_type_get(gnutls_session_t session)
  **/
 gnutls_certificate_type_t
 gnutls_certificate_type_get2(gnutls_session_t session,
-								gnutls_ctype_target_t target)
+			     gnutls_ctype_target_t target)
 {
 	switch (target) {
 		case GNUTLS_CTYPE_CLIENT:
diff --git a/tests/mini-x509-2.c b/tests/mini-x509-2.c
index 8badfc1ecb..e20d45b7ff 100644
--- a/tests/mini-x509-2.c
+++ b/tests/mini-x509-2.c
@@ -303,6 +303,8 @@ void start(const char *prio)
 			exit(1);
 		}
 		gnutls_free(scert.data);
+
+		assert(gnutls_certificate_type_get(server)==GNUTLS_CRT_X509);
 	}
 
 	/* check gnutls_certificate_get_ours() - client side */
@@ -336,6 +338,8 @@ void start(const char *prio)
 			exit(1);
 		}
 		gnutls_free(ccert.data);
+
+		assert(gnutls_certificate_type_get(client)==GNUTLS_CRT_X509);
 	}
 
 	/* check the number of certificates received */
diff --git a/tests/mini-x509.c b/tests/mini-x509.c
index 52c650aa7f..c26b13f716 100644
--- a/tests/mini-x509.c
+++ b/tests/mini-x509.c
@@ -124,6 +124,9 @@ void start(const char *prio, unsigned expect_max)
 		}
 	}
 
+	assert(gnutls_certificate_type_get(server)==GNUTLS_CRT_X509);
+	assert(gnutls_certificate_type_get(client)==GNUTLS_CRT_X509);
+
 	/* check the number of certificates received and verify */
 	{
 		unsigned cert_list_size = 0;
diff --git a/tests/resume.c b/tests/resume.c
index 5e545cc658..41cbebf8ea 100644
--- a/tests/resume.c
+++ b/tests/resume.c
@@ -391,14 +391,17 @@ static void verify_server_params(gnutls_session_t session, unsigned counter, str
 #if defined(USE_X509)
 	unsigned int l;
 
+	if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509)
+		fail("did not find the expected X509 certificate type! (%d)\n", gnutls_certificate_type_get(session));
+
 	if (counter == 0 && gnutls_certificate_get_ours(session) == NULL)
-		fail("no certificate returned on server side (%s)\n", counter?"resumed session":"first session");
+		fail("no certificate returned on server side (%s)\n", counter ? "resumed session" : "first session");
 	else if (counter != 0 && gnutls_certificate_get_ours(session) != NULL)
-		fail("certificate was returned on server side (%s)\n", counter?"resumed session":"first session");
+		fail("certificate was returned on server side (%s)\n", counter ? "resumed session" : "first session");
 
 	if (params->client_cert) {
 		if (gnutls_certificate_get_peers(session, &l) == NULL || l < 1)
-			fail("no client certificate returned on server side (%s)\n", counter?"resumed session":"first session");
+			fail("no client certificate returned on server side (%s)\n", counter ? "resumed session" : "first session");
 	}
 #endif
 
@@ -432,7 +435,7 @@ static void verify_client_params(gnutls_session_t session, unsigned counter)
 #if defined(USE_X509)
 	unsigned int l;
 	if (gnutls_certificate_get_peers(session, &l) == NULL || l < 1)
-		fail("no server certificate returned on client side (%s)\n", counter?"resumed session":"first session");
+		fail("no server certificate returned on client side (%s)\n", counter ? "resumed session" : "first session");
 #else
 	return;
 #endif
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2018-11-19 12:55:41 +0000
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2018-11-19 12:55:41 +0000
commit	be2e60ae70b0fac7e43dea5faee2a80f58a758f7 (patch)
tree	259243ad1f0bb8f31462bb93b8e343bdf2888c94
parent	639d1df7e4e249559b4a20b9eaad57a93b2ecdce (diff)
parent	05a6f8c9466f3138043c49e8da18d8ac097dc155 (diff)
download	gnutls-be2e60ae70b0fac7e43dea5faee2a80f58a758f7.tar.gz