From b44430523cca648364386e758c1b7df161c2a29d Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 14 Nov 2018 15:20:08 +0100 Subject: gnutls_certificate_type_get*: ensure that the default type is returned That is, ensure that unless we negotiate something else than X509, the default certificate type is returned to applications. Previously we wouldn't do that for TLS1.3 resumed sessions, and we would return zero (invalid type) instead. That addresses issues with applications checking explicitly for X509 certificate type being present. Signed-off-by: Nikos Mavrogiannopoulos --- lib/session_pack.c | 20 ++++++++++---------- tests/mini-x509-2.c | 4 ++++ tests/mini-x509.c | 3 +++ tests/resume.c | 3 +++ 4 files changed, 20 insertions(+), 10 deletions(-) diff --git a/lib/session_pack.c b/lib/session_pack.c index 1869f7740b..eec594e38e 100644 --- a/lib/session_pack.c +++ b/lib/session_pack.c @@ -905,14 +905,14 @@ pack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps) BUFFER_APPEND_NUM(ps, session->security_parameters.pversion->id); + BUFFER_APPEND_NUM(ps, session->security_parameters.client_ctype); + BUFFER_APPEND_NUM(ps, session->security_parameters.server_ctype); + /* if we are under TLS 1.3 do not pack keys or params negotiated using an extension * they are not necessary */ if (!session->security_parameters.pversion->tls13_sem) { BUFFER_APPEND(ps, session->security_parameters.cs->id, 2); - BUFFER_APPEND_NUM(ps, session->security_parameters.client_ctype); - BUFFER_APPEND_NUM(ps, session->security_parameters.server_ctype); - BUFFER_APPEND_PFX1(ps, session->security_parameters.master_secret, GNUTLS_MASTER_SIZE); BUFFER_APPEND_PFX1(ps, session->security_parameters.client_random, @@ -1005,19 +1005,19 @@ unpack_security_parameters(gnutls_session_t session, gnutls_buffer_st * ps) NULL) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + BUFFER_POP_NUM(ps, + session->internals.resumed_security_parameters. + client_ctype); + BUFFER_POP_NUM(ps, + session->internals.resumed_security_parameters. + server_ctype); + if (!session->internals.resumed_security_parameters.pversion->tls13_sem) { BUFFER_POP(ps, cs, 2); session->internals.resumed_security_parameters.cs = ciphersuite_to_entry(cs); if (session->internals.resumed_security_parameters.cs == NULL) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - BUFFER_POP_NUM(ps, - session->internals.resumed_security_parameters. - client_ctype); - BUFFER_POP_NUM(ps, - session->internals.resumed_security_parameters. - server_ctype); - /* master secret */ ret = _gnutls_buffer_pop_datum_prefix8(ps, &t); if (ret < 0) { diff --git a/tests/mini-x509-2.c b/tests/mini-x509-2.c index 8badfc1ecb..e20d45b7ff 100644 --- a/tests/mini-x509-2.c +++ b/tests/mini-x509-2.c @@ -303,6 +303,8 @@ void start(const char *prio) exit(1); } gnutls_free(scert.data); + + assert(gnutls_certificate_type_get(server)==GNUTLS_CRT_X509); } /* check gnutls_certificate_get_ours() - client side */ @@ -336,6 +338,8 @@ void start(const char *prio) exit(1); } gnutls_free(ccert.data); + + assert(gnutls_certificate_type_get(client)==GNUTLS_CRT_X509); } /* check the number of certificates received */ diff --git a/tests/mini-x509.c b/tests/mini-x509.c index 52c650aa7f..c26b13f716 100644 --- a/tests/mini-x509.c +++ b/tests/mini-x509.c @@ -124,6 +124,9 @@ void start(const char *prio, unsigned expect_max) } } + assert(gnutls_certificate_type_get(server)==GNUTLS_CRT_X509); + assert(gnutls_certificate_type_get(client)==GNUTLS_CRT_X509); + /* check the number of certificates received and verify */ { unsigned cert_list_size = 0; diff --git a/tests/resume.c b/tests/resume.c index 5e545cc658..3ce3e293c1 100644 --- a/tests/resume.c +++ b/tests/resume.c @@ -391,6 +391,9 @@ static void verify_server_params(gnutls_session_t session, unsigned counter, str #if defined(USE_X509) unsigned int l; + if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) + fail("did not find the expected X509 certificate type! (%d)\n", gnutls_certificate_type_get(session)); + if (counter == 0 && gnutls_certificate_get_ours(session) == NULL) fail("no certificate returned on server side (%s)\n", counter?"resumed session":"first session"); else if (counter != 0 && gnutls_certificate_get_ours(session) != NULL) -- cgit v1.2.1 From ab02aa24ee5095776d5b9c482b1a1c377955bc1b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 19 Nov 2018 06:50:55 +0100 Subject: tests: resume: use spaces around '?' and ':' according to coding style Also set a link to the kernel coding style in CONTRIBUTIONS.md Signed-off-by: Nikos Mavrogiannopoulos --- CONTRIBUTING.md | 5 +++-- tests/resume.c | 8 ++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c5a02c61a6..dc0f40d0a1 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -63,8 +63,9 @@ case by case basis. # Indentation style: - In general, use the Linux kernel coding style. You may indent the source -using GNU indent, e.g. "indent -linux *.c". + In general, use [the Linux kernel coding style](https://www.kernel.org/doc/html/latest/process/coding-style.html). +You may indent the source using GNU indent, e.g. "indent -linux *.c". + # Function names: diff --git a/tests/resume.c b/tests/resume.c index 3ce3e293c1..41cbebf8ea 100644 --- a/tests/resume.c +++ b/tests/resume.c @@ -395,13 +395,13 @@ static void verify_server_params(gnutls_session_t session, unsigned counter, str fail("did not find the expected X509 certificate type! (%d)\n", gnutls_certificate_type_get(session)); if (counter == 0 && gnutls_certificate_get_ours(session) == NULL) - fail("no certificate returned on server side (%s)\n", counter?"resumed session":"first session"); + fail("no certificate returned on server side (%s)\n", counter ? "resumed session" : "first session"); else if (counter != 0 && gnutls_certificate_get_ours(session) != NULL) - fail("certificate was returned on server side (%s)\n", counter?"resumed session":"first session"); + fail("certificate was returned on server side (%s)\n", counter ? "resumed session" : "first session"); if (params->client_cert) { if (gnutls_certificate_get_peers(session, &l) == NULL || l < 1) - fail("no client certificate returned on server side (%s)\n", counter?"resumed session":"first session"); + fail("no client certificate returned on server side (%s)\n", counter ? "resumed session" : "first session"); } #endif @@ -435,7 +435,7 @@ static void verify_client_params(gnutls_session_t session, unsigned counter) #if defined(USE_X509) unsigned int l; if (gnutls_certificate_get_peers(session, &l) == NULL || l < 1) - fail("no server certificate returned on client side (%s)\n", counter?"resumed session":"first session"); + fail("no server certificate returned on client side (%s)\n", counter ? "resumed session" : "first session"); #else return; #endif -- cgit v1.2.1 From 05a6f8c9466f3138043c49e8da18d8ac097dc155 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sun, 18 Nov 2018 20:22:08 +0100 Subject: gnutls_certificate_type_get*: updated documentation to list limitations Signed-off-by: Nikos Mavrogiannopoulos --- lib/state.c | 39 +++++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/lib/state.c b/lib/state.c index 5364d5e727..29591aad0b 100644 --- a/lib/state.c +++ b/lib/state.c @@ -89,11 +89,16 @@ gnutls_cipher_algorithm_t gnutls_cipher_get(gnutls_session_t session) * gnutls_certificate_type_get: * @session: is a #gnutls_session_t type. * - * The certificate type is by default X.509, unless it is negotiated - * as a TLS extension. + * This function returns the type of the certificate that is negotiated + * for this side to send to the peer. The certificate type is by default + * X.509, unless an alternative certificate type is enabled by + * gnutls_init() and negotiated during the session. + * + * Resumed sessions will return the certificate type that was negotiated + * and used in the original session. * * As of version 3.6.4 it is recommended to use - * gnutls_certificate_type_get2(). + * gnutls_certificate_type_get2() which is more fine-grained. * * Returns: the currently used #gnutls_certificate_type_t certificate * type as negotiated for 'our' side of the connection. @@ -109,20 +114,22 @@ gnutls_certificate_type_get(gnutls_session_t session) * @session: is a #gnutls_session_t type. * @target: is a #gnutls_ctype_target_t type. * - * The raw public-key extension (RFC7250) introduces a mechanism - * to specifcy different certificate types for the client and server. We - * therefore distinguish between negotiated certificate types for the - * client and server. The @target parameter specifies whether you want - * the negotiated certificate type for the client (GNUTLS_CTYPE_CLIENT) - * or for the server (GNUTLS_CTYPE_SERVER). Additionally, in P2P mode + * This function returns the type of the certificate that a side + * is negotiated to use. The certificate type is by default X.509, + * unless an alternative certificate type is enabled by gnutls_init() and + * negotiated during the session. + * + * The @target parameter specifies whether to request the negotiated + * certificate type for the client (%GNUTLS_CTYPE_CLIENT), + * or for the server (%GNUTLS_CTYPE_SERVER). Additionally, in P2P mode * connection set up where you don't know in advance who will be client - * and who will be server you can use the flag (GNUTLS_CTYPE_OURS) and - * (GNUTLS_CTYPE_PEERS) to retrieve the corresponding certificate types. + * and who will be server you can use the flag (%GNUTLS_CTYPE_OURS) and + * (%GNUTLS_CTYPE_PEERS) to retrieve the corresponding certificate types. * - * In case no certificate types were explicitly set via the priority - * strings to be negotiated during the handshake, then this function - * will return the default certificate type (X.509) for both the - * client and the server. + * Resumed sessions will return the certificate type that was negotiated + * and used in the original session. That is, this function can be used + * to reliably determine the type of the certificate returned by + * gnutls_certificate_get_peers(). * * Returns: the currently used #gnutls_certificate_type_t certificate * type for the client or the server. @@ -131,7 +138,7 @@ gnutls_certificate_type_get(gnutls_session_t session) **/ gnutls_certificate_type_t gnutls_certificate_type_get2(gnutls_session_t session, - gnutls_ctype_target_t target) + gnutls_ctype_target_t target) { switch (target) { case GNUTLS_CTYPE_CLIENT: -- cgit v1.2.1