]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
The certificate verification callback is being run after the certificate status respo...
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Fri, 28 Sep 2012 16:54:15 +0000 (18:54 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Fri, 28 Sep 2012 16:56:37 +0000 (18:56 +0200)
lib/auth/cert.c
lib/ext/status_request.c
lib/gnutls_handshake.c
lib/gnutls_int.h

index 0e9e0d982519b8bbda92cbb72f634795b6d5aac8..44835f03e98d62b3f242b57478d0292f97782dee 100644 (file)
@@ -1396,8 +1396,7 @@ cleanup:
 #endif
 
 int
-_gnutls_proc_crt (gnutls_session_t session,
-                                      uint8_t * data, size_t data_size)
+_gnutls_proc_crt (gnutls_session_t session, uint8_t * data, size_t data_size)
 {
   int ret;
   gnutls_certificate_credentials_t cred;
@@ -1428,13 +1427,6 @@ _gnutls_proc_crt (gnutls_session_t session,
       return GNUTLS_E_INTERNAL_ERROR;
     }
 
-  if (ret == 0 && cred->verify_callback != NULL)
-    {
-      ret = cred->verify_callback (session);
-      if (ret != 0)
-        ret = GNUTLS_E_CERTIFICATE_ERROR;
-    }
-
   return ret;
 }
 
index 489d949a46e8a34d5dff658770aec948e782caa5..8cfe1decf6ef3cb8d7fef5b33bf036ba32843785 100644 (file)
@@ -136,8 +136,6 @@ server_recv (gnutls_session_t session,
 
   priv->responder_id_size = _gnutls_read_uint16 (data);
   
-  _gnutls_debug_log("Status Request: Responder ID size: %u\n", priv->responder_id_size);
-  
   DECR_LEN(data_size, 2);
   data += 2;
 
@@ -270,7 +268,8 @@ _gnutls_status_request_recv_params (gnutls_session_t session,
  *
  * This function is to be used by clients to request OCSP response
  * from the server, using the "status_request" TLS extension.  Only
- * OCSP status type is supported. Typically @responder_id and @extensions
+ * OCSP status type is supported. A typical server has a single
+ * OCSP response cached, so @responder_id and @extensions
  * should be null.
  *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
index b6a5e62fa004c33fdecf4c339ef590be86fd59d2..804ae1b1d40ebb7d9d410e51d4e55832c89bdb47 100644 (file)
@@ -2473,6 +2473,27 @@ gnutls_handshake_set_timeout (gnutls_session_t session, unsigned int ms)
        } } while (0)
 
 
+static int run_verify_callback(gnutls_session_t session)
+{
+  gnutls_certificate_credentials_t cred;
+  int ret;
+
+  cred =
+    (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
+                                                         GNUTLS_CRD_CERTIFICATE,
+                                                         NULL);
+  if (cred == NULL)
+    return 0;
+
+  if (cred->verify_callback != NULL)
+    {
+      ret = cred->verify_callback (session);
+      if (ret != 0)
+        return GNUTLS_E_CERTIFICATE_ERROR;
+    }
+  
+  return 0;
+}
 
 /*
  * _gnutls_handshake_client 
@@ -2503,14 +2524,14 @@ _gnutls_handshake_client (gnutls_session_t session)
       STATE = STATE1;
       IMED_RET ("send hello", ret, 1);
 
-    case STATE11:
+    case STATE2:
       if (IS_DTLS (session))
         {
           ret =
             _gnutls_recv_handshake (session, 
                   GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST,
                   1, NULL);
-          STATE = STATE11;
+          STATE = STATE2;
           IMED_RET ("recv hello verify", ret, 1);
 
           if (ret == 1)
@@ -2519,91 +2540,96 @@ _gnutls_handshake_client (gnutls_session_t session)
               return 1;
             }
         }
-    case STATE2:
+    case STATE3:
       /* receive the server hello */
       ret =
         _gnutls_recv_handshake (session,
                                 GNUTLS_HANDSHAKE_SERVER_HELLO,
                                 0, NULL);
-      STATE = STATE2;
+      STATE = STATE3;
       IMED_RET ("recv hello", ret, 1);
 
-    case STATE70:
+    case STATE4:
       if (session->security_parameters.do_recv_supplemental)
         {
           ret = _gnutls_recv_supplemental (session);
-          STATE = STATE70;
+          STATE = STATE4;
           IMED_RET ("recv supplemental", ret, 1);
         }
 
-    case STATE3:
+    case STATE5:
       /* RECV CERTIFICATE */
       if (session->internals.resumed == RESUME_FALSE)   /* if we are not resuming */
         ret = _gnutls_recv_server_certificate (session);
-      STATE = STATE3;
+      STATE = STATE5;
       IMED_RET ("recv server certificate", ret, 1);
 
-    case STATE4:
+    case STATE6:
       /* RECV CERTIFICATE STATUS */
       if (session->internals.resumed == RESUME_FALSE)   /* if we are not resuming */
         ret = _gnutls_recv_server_certificate_status (session);
-      STATE = STATE4;
+      STATE = STATE6;
       IMED_RET ("recv server certificate", ret, 1);
 
-    case STATE5:
+    case STATE7:
+      ret = run_verify_callback(session);
+      STATE = STATE7;
+      if (ret < 0)
+        return gnutls_assert_val(ret);
+    case STATE8:
       /* receive the server key exchange */
       if (session->internals.resumed == RESUME_FALSE)   /* if we are not resuming */
         ret = _gnutls_recv_server_kx_message (session);
-      STATE = STATE5;
+      STATE = STATE8;
       IMED_RET ("recv server kx message", ret, 1);
 
-    case STATE6:
+    case STATE9:
       /* receive the server certificate request - if any 
        */
 
       if (session->internals.resumed == RESUME_FALSE)   /* if we are not resuming */
         ret = _gnutls_recv_server_crt_request (session);
-      STATE = STATE6;
+      STATE = STATE9;
       IMED_RET ("recv server certificate request message", ret, 1);
 
-    case STATE7:
+    case STATE10:
       /* receive the server hello done */
       if (session->internals.resumed == RESUME_FALSE)   /* if we are not resuming */
         ret =
           _gnutls_recv_handshake (session,
                                   GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
                                   0, NULL);
-      STATE = STATE7;
+      STATE = STATE10;
       IMED_RET ("recv server hello done", ret, 1);
 
-    case STATE71:
+    case STATE11:
       if (session->security_parameters.do_send_supplemental)
         {
-          ret = _gnutls_send_supplemental (session, AGAIN (STATE71));
-          STATE = STATE71;
+          ret = _gnutls_send_supplemental (session, AGAIN (STATE11));
+          STATE = STATE11;
           IMED_RET ("send supplemental", ret, 0);
         }
 
-    case STATE8:
+    case STATE12:
       /* send our certificate - if any and if requested
        */
       if (session->internals.resumed == RESUME_FALSE)   /* if we are not resuming */
-        ret = _gnutls_send_client_certificate (session, AGAIN (STATE8));
-      STATE = STATE8;
+        ret = _gnutls_send_client_certificate (session, AGAIN (STATE12));
+      STATE = STATE12;
       IMED_RET ("send client certificate", ret, 0);
 
-    case STATE9:
+    case STATE13:
       if (session->internals.resumed == RESUME_FALSE)   /* if we are not resuming */
-        ret = _gnutls_send_client_kx_message (session, AGAIN (STATE9));
-      STATE = STATE9;
+        ret = _gnutls_send_client_kx_message (session, AGAIN (STATE13));
+      STATE = STATE13;
       IMED_RET ("send client kx", ret, 0);
 
-    case STATE10:
+    case STATE14:
       /* send client certificate verify */
       if (session->internals.resumed == RESUME_FALSE)   /* if we are not resuming */
         ret =
-          _gnutls_send_client_certificate_verify (session, AGAIN (STATE10));
-      STATE = STATE10;
+          _gnutls_send_client_certificate_verify (session, AGAIN (STATE14));
+      STATE = STATE14;
       IMED_RET ("send client certificate verify", ret, 1);
 
       STATE = STATE0;
index fed0eef8573c0017fd178e77530388944f65d772..9c4c8502fb0cc9c9ecbcd4294663b49b7f846349 100644 (file)
@@ -223,8 +223,8 @@ typedef struct
 
 typedef enum handshake_state_t
 { STATE0 = 0, STATE1, STATE2,
-  STATE3, STATE4, STATE5,
-  STATE6, STATE7, STATE8, STATE9, STATE10, STATE11,
+  STATE3, STATE4, STATE5, STATE6, STATE7, STATE8, 
+  STATE9, STATE10, STATE11, STATE12, STATE13, STATE14,
   STATE20 = 20, STATE21, STATE22,
   STATE30 = 30, STATE31, STATE40 = 40, STATE41, STATE50 = 50,
   STATE60 = 60, STATE61, STATE62, STATE70, STATE71