diff options
-rw-r--r-- | CONTRIBUTING.md | 5 | ||||
-rw-r--r-- | lib/session_pack.c | 20 | ||||
-rw-r--r-- | lib/state.c | 39 | ||||
-rw-r--r-- | tests/mini-x509-2.c | 4 | ||||
-rw-r--r-- | tests/mini-x509.c | 3 | ||||
-rw-r--r-- | tests/resume.c | 11 |
6 files changed, 50 insertions, 32 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c5a02c61a6..dc0f40d0a1 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -63,8 +63,9 @@ case by case basis. # Indentation style: - In general, use the Linux kernel coding style. You may indent the source -using GNU indent, e.g. "indent -linux *.c". + In general, use [the Linux kernel coding style](https://www.kernel.org/doc/html/latest/process/coding-style.html). +You may indent the source using GNU indent, e.g. "indent -linux *.c". + # Function names: diff --git a/lib/session_pack.c b/lib/session_pack.c index 1869f7740b..eec594e38e 100644 --- a/lib/session_pack.c +++ b/lib/session_pack.c @@ -905,14 +905,14 @@ pack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps) BUFFER_APPEND_NUM(ps, session->security_parameters.pversion->id); + BUFFER_APPEND_NUM(ps, session->security_parameters.client_ctype); + BUFFER_APPEND_NUM(ps, session->security_parameters.server_ctype); + /* if we are under TLS 1.3 do not pack keys or params negotiated using an extension * they are not necessary */ if (!session->security_parameters.pversion->tls13_sem) { BUFFER_APPEND(ps, session->security_parameters.cs->id, 2); - BUFFER_APPEND_NUM(ps, session->security_parameters.client_ctype); - BUFFER_APPEND_NUM(ps, session->security_parameters.server_ctype); - BUFFER_APPEND_PFX1(ps, session->security_parameters.master_secret, GNUTLS_MASTER_SIZE); BUFFER_APPEND_PFX1(ps, session->security_parameters.client_random, @@ -1005,19 +1005,19 @@ unpack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps) NULL) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + BUFFER_POP_NUM(ps, + session->internals.resumed_security_parameters. + client_ctype); + BUFFER_POP_NUM(ps, + session->internals.resumed_security_parameters. + server_ctype); + if (!session->internals.resumed_security_parameters.pversion->tls13_sem) { BUFFER_POP(ps, cs, 2); session->internals.resumed_security_parameters.cs = ciphersuite_to_entry(cs); if (session->internals.resumed_security_parameters.cs == NULL) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - BUFFER_POP_NUM(ps, - session->internals.resumed_security_parameters. - client_ctype); - BUFFER_POP_NUM(ps, - session->internals.resumed_security_parameters. - server_ctype); - /* master secret */ ret = _gnutls_buffer_pop_datum_prefix8(ps, &t); if (ret < 0) { diff --git a/lib/state.c b/lib/state.c index 7e6354f9fe..98c6bb56f9 100644 --- a/lib/state.c +++ b/lib/state.c @@ -89,11 +89,16 @@ gnutls_cipher_algorithm_t gnutls_cipher_get(gnutls_session_t session) * gnutls_certificate_type_get: * @session: is a #gnutls_session_t type. * - * The certificate type is by default X.509, unless it is negotiated - * as a TLS extension. + * This function returns the type of the certificate that is negotiated + * for this side to send to the peer. The certificate type is by default + * X.509, unless an alternative certificate type is enabled by + * gnutls_init() and negotiated during the session. + * + * Resumed sessions will return the certificate type that was negotiated + * and used in the original session. * * As of version 3.6.4 it is recommended to use - * gnutls_certificate_type_get2(). + * gnutls_certificate_type_get2() which is more fine-grained. * * Returns: the currently used #gnutls_certificate_type_t certificate * type as negotiated for 'our' side of the connection. @@ -109,20 +114,22 @@ gnutls_certificate_type_get(gnutls_session_t session) * @session: is a #gnutls_session_t type. * @target: is a #gnutls_ctype_target_t type. * - * The raw public-key extension (RFC7250) introduces a mechanism - * to specifcy different certificate types for the client and server. We - * therefore distinguish between negotiated certificate types for the - * client and server. The @target parameter specifies whether you want - * the negotiated certificate type for the client (GNUTLS_CTYPE_CLIENT) - * or for the server (GNUTLS_CTYPE_SERVER). Additionally, in P2P mode + * This function returns the type of the certificate that a side + * is negotiated to use. The certificate type is by default X.509, + * unless an alternative certificate type is enabled by gnutls_init() and + * negotiated during the session. + * + * The @target parameter specifies whether to request the negotiated + * certificate type for the client (%GNUTLS_CTYPE_CLIENT), + * or for the server (%GNUTLS_CTYPE_SERVER). Additionally, in P2P mode * connection set up where you don't know in advance who will be client - * and who will be server you can use the flag (GNUTLS_CTYPE_OURS) and - * (GNUTLS_CTYPE_PEERS) to retrieve the corresponding certificate types. + * and who will be server you can use the flag (%GNUTLS_CTYPE_OURS) and + * (%GNUTLS_CTYPE_PEERS) to retrieve the corresponding certificate types. * - * In case no certificate types were explicitly set via the priority - * strings to be negotiated during the handshake, then this function - * will return the default certificate type (X.509) for both the - * client and the server. + * Resumed sessions will return the certificate type that was negotiated + * and used in the original session. That is, this function can be used + * to reliably determine the type of the certificate returned by + * gnutls_certificate_get_peers(). * * Returns: the currently used #gnutls_certificate_type_t certificate * type for the client or the server. @@ -131,7 +138,7 @@ gnutls_certificate_type_get(gnutls_session_t session) **/ gnutls_certificate_type_t gnutls_certificate_type_get2(gnutls_session_t session, - gnutls_ctype_target_t target) + gnutls_ctype_target_t target) { switch (target) { case GNUTLS_CTYPE_CLIENT: diff --git a/tests/mini-x509-2.c b/tests/mini-x509-2.c index 8badfc1ecb..e20d45b7ff 100644 --- a/tests/mini-x509-2.c +++ b/tests/mini-x509-2.c @@ -303,6 +303,8 @@ void start(const char *prio) exit(1); } gnutls_free(scert.data); + + assert(gnutls_certificate_type_get(server)==GNUTLS_CRT_X509); } /* check gnutls_certificate_get_ours() - client side */ @@ -336,6 +338,8 @@ void start(const char *prio) exit(1); } gnutls_free(ccert.data); + + assert(gnutls_certificate_type_get(client)==GNUTLS_CRT_X509); } /* check the number of certificates received */ diff --git a/tests/mini-x509.c b/tests/mini-x509.c index 52c650aa7f..c26b13f716 100644 --- a/tests/mini-x509.c +++ b/tests/mini-x509.c @@ -124,6 +124,9 @@ void start(const char *prio, unsigned expect_max) } } + assert(gnutls_certificate_type_get(server)==GNUTLS_CRT_X509); + assert(gnutls_certificate_type_get(client)==GNUTLS_CRT_X509); + /* check the number of certificates received and verify */ { unsigned cert_list_size = 0; diff --git a/tests/resume.c b/tests/resume.c index 5e545cc658..41cbebf8ea 100644 --- a/tests/resume.c +++ b/tests/resume.c @@ -391,14 +391,17 @@ static void verify_server_params(gnutls_session_t session, unsigned counter, str #if defined(USE_X509) unsigned int l; + if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) + fail("did not find the expected X509 certificate type! (%d)\n", gnutls_certificate_type_get(session)); + if (counter == 0 && gnutls_certificate_get_ours(session) == NULL) - fail("no certificate returned on server side (%s)\n", counter?"resumed session":"first session"); + fail("no certificate returned on server side (%s)\n", counter ? "resumed session" : "first session"); else if (counter != 0 && gnutls_certificate_get_ours(session) != NULL) - fail("certificate was returned on server side (%s)\n", counter?"resumed session":"first session"); + fail("certificate was returned on server side (%s)\n", counter ? "resumed session" : "first session"); if (params->client_cert) { if (gnutls_certificate_get_peers(session, &l) == NULL || l < 1) - fail("no client certificate returned on server side (%s)\n", counter?"resumed session":"first session"); + fail("no client certificate returned on server side (%s)\n", counter ? "resumed session" : "first session"); } #endif @@ -432,7 +435,7 @@ static void verify_client_params(gnutls_session_t session, unsigned counter) #if defined(USE_X509) unsigned int l; if (gnutls_certificate_get_peers(session, &l) == NULL || l < 1) - fail("no server certificate returned on client side (%s)\n", counter?"resumed session":"first session"); + fail("no server certificate returned on client side (%s)\n", counter ? "resumed session" : "first session"); #else return; #endif |