diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-06-27 14:19:02 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-07-02 08:39:50 +0000 |
commit | 32fe53b2d71a396ddf3cdc245bb6a99c04366921 (patch) | |
tree | ccc30bed0a969d0f737414ca4a0b246b3ccd705b | |
parent | 93cc44b19242819a32b29a381d220e96a3c0fc41 (diff) | |
download | gnutls-32fe53b2d71a396ddf3cdc245bb6a99c04366921.tar.gz |
tls13 handshake: allow certificate messages after handshake
This allows post-handshake authentication even when PSK
is negotiated.
Resolves #489
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/tls13/certificate.c | 7 | ||||
-rw-r--r-- | lib/tls13/certificate_request.c | 6 | ||||
-rw-r--r-- | lib/tls13/certificate_verify.c | 4 | ||||
-rw-r--r-- | lib/tls13/post_handshake.c | 8 |
4 files changed, 19 insertions, 6 deletions
diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c index 90bd366854..b9a54df355 100644 --- a/lib/tls13/certificate.c +++ b/lib/tls13/certificate.c @@ -38,7 +38,8 @@ int _gnutls13_recv_certificate(gnutls_session_t session) gnutls_buffer_st buf; unsigned optional = 0; - if (session->internals.hsk_flags & HSK_PSK_SELECTED) + if (!session->internals.initial_negotiation_completed && + session->internals.hsk_flags & HSK_PSK_SELECTED) return 0; if (session->security_parameters.entity == GNUTLS_SERVER) { @@ -201,8 +202,10 @@ int _gnutls13_send_certificate(gnutls_session_t session, unsigned again) gnutls_certificate_credentials_t cred; if (again == 0) { - if (session->internals.hsk_flags & HSK_PSK_SELECTED) + if (!session->internals.initial_negotiation_completed && + session->internals.hsk_flags & HSK_PSK_SELECTED) return 0; + if (session->security_parameters.entity == GNUTLS_SERVER && session->internals.resumed) return 0; diff --git a/lib/tls13/certificate_request.c b/lib/tls13/certificate_request.c index 09fb56d0bd..a7ec0e2fd9 100644 --- a/lib/tls13/certificate_request.c +++ b/lib/tls13/certificate_request.c @@ -192,7 +192,8 @@ int _gnutls13_recv_certificate_request(gnutls_session_t session) int ret; gnutls_buffer_st buf; - if (session->internals.hsk_flags & HSK_PSK_SELECTED) + if (!session->internals.initial_negotiation_completed && + session->internals.hsk_flags & HSK_PSK_SELECTED) return 0; if (unlikely(session->security_parameters.entity != GNUTLS_CLIENT)) @@ -254,7 +255,8 @@ int _gnutls13_send_certificate_request(gnutls_session_t session, unsigned again) if (again == 0) { unsigned char rnd[12]; - if (session->internals.hsk_flags & HSK_PSK_SELECTED) + if (!session->internals.initial_negotiation_completed && + session->internals.hsk_flags & HSK_PSK_SELECTED) return 0; if (session->internals.send_cert_req == 0) diff --git a/lib/tls13/certificate_verify.c b/lib/tls13/certificate_verify.c index f1dbabab05..96076e4e46 100644 --- a/lib/tls13/certificate_verify.c +++ b/lib/tls13/certificate_verify.c @@ -154,8 +154,10 @@ int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again) bool server = 0; if (again == 0) { - if (session->internals.hsk_flags & HSK_PSK_SELECTED) + if (!session->internals.initial_negotiation_completed && + session->internals.hsk_flags & HSK_PSK_SELECTED) return 0; + if (session->security_parameters.entity == GNUTLS_SERVER && session->internals.resumed) return 0; diff --git a/lib/tls13/post_handshake.c b/lib/tls13/post_handshake.c index b12c0ba221..ddab66f9a3 100644 --- a/lib/tls13/post_handshake.c +++ b/lib/tls13/post_handshake.c @@ -225,7 +225,13 @@ int _gnutls13_reauth_server(gnutls_session_t session) * * Prior to calling this function in server side, the function * gnutls_certificate_server_set_request() must be called setting expectations - * for the received certificate (request or require). + * for the received certificate (request or require). If none are set + * this function will return with %GNUTLS_E_INVALID_REQUEST. + * + * Note that post handshake authentication is available irrespective + * of the initial negotiation type (PSK or certificate). In all cases + * however, certificate credentials must be set to the session prior + * to calling this function. * * Returns: %GNUTLS_E_SUCCESS on a successful authentication, otherwise a negative error code. **/ |