From: Nikos Mavrogiannopoulos Date: Fri, 28 Sep 2012 16:54:15 +0000 (+0200) Subject: The certificate verification callback is being run after the certificate status respo... X-Git-Tag: gnutls_3_1_3~77 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f7210341ee723faf157236ee36ef96a3317958d2;p=thirdparty%2Fgnutls.git The certificate verification callback is being run after the certificate status response is received. --- diff --git a/lib/auth/cert.c b/lib/auth/cert.c index 0e9e0d9825..44835f03e9 100644 --- a/lib/auth/cert.c +++ b/lib/auth/cert.c @@ -1396,8 +1396,7 @@ cleanup: #endif int -_gnutls_proc_crt (gnutls_session_t session, - uint8_t * data, size_t data_size) +_gnutls_proc_crt (gnutls_session_t session, uint8_t * data, size_t data_size) { int ret; gnutls_certificate_credentials_t cred; @@ -1428,13 +1427,6 @@ _gnutls_proc_crt (gnutls_session_t session, return GNUTLS_E_INTERNAL_ERROR; } - if (ret == 0 && cred->verify_callback != NULL) - { - ret = cred->verify_callback (session); - if (ret != 0) - ret = GNUTLS_E_CERTIFICATE_ERROR; - } - return ret; } diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c index 489d949a46..8cfe1decf6 100644 --- a/lib/ext/status_request.c +++ b/lib/ext/status_request.c @@ -136,8 +136,6 @@ server_recv (gnutls_session_t session, priv->responder_id_size = _gnutls_read_uint16 (data); - _gnutls_debug_log("Status Request: Responder ID size: %u\n", priv->responder_id_size); - DECR_LEN(data_size, 2); data += 2; @@ -270,7 +268,8 @@ _gnutls_status_request_recv_params (gnutls_session_t session, * * This function is to be used by clients to request OCSP response * from the server, using the "status_request" TLS extension. Only - * OCSP status type is supported. Typically @responder_id and @extensions + * OCSP status type is supported. A typical server has a single + * OCSP response cached, so @responder_id and @extensions * should be null. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index b6a5e62fa0..804ae1b1d4 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -2473,6 +2473,27 @@ gnutls_handshake_set_timeout (gnutls_session_t session, unsigned int ms) } } while (0) +static int run_verify_callback(gnutls_session_t session) +{ + gnutls_certificate_credentials_t cred; + int ret; + + cred = + (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key, + GNUTLS_CRD_CERTIFICATE, + NULL); + if (cred == NULL) + return 0; + + if (cred->verify_callback != NULL) + { + ret = cred->verify_callback (session); + if (ret != 0) + return GNUTLS_E_CERTIFICATE_ERROR; + } + + return 0; +} /* * _gnutls_handshake_client @@ -2503,14 +2524,14 @@ _gnutls_handshake_client (gnutls_session_t session) STATE = STATE1; IMED_RET ("send hello", ret, 1); - case STATE11: + case STATE2: if (IS_DTLS (session)) { ret = _gnutls_recv_handshake (session, GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST, 1, NULL); - STATE = STATE11; + STATE = STATE2; IMED_RET ("recv hello verify", ret, 1); if (ret == 1) @@ -2519,91 +2540,96 @@ _gnutls_handshake_client (gnutls_session_t session) return 1; } } - case STATE2: + case STATE3: /* receive the server hello */ ret = _gnutls_recv_handshake (session, GNUTLS_HANDSHAKE_SERVER_HELLO, 0, NULL); - STATE = STATE2; + STATE = STATE3; IMED_RET ("recv hello", ret, 1); - case STATE70: + case STATE4: if (session->security_parameters.do_recv_supplemental) { ret = _gnutls_recv_supplemental (session); - STATE = STATE70; + STATE = STATE4; IMED_RET ("recv supplemental", ret, 1); } - case STATE3: + case STATE5: /* RECV CERTIFICATE */ if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ ret = _gnutls_recv_server_certificate (session); - STATE = STATE3; + STATE = STATE5; IMED_RET ("recv server certificate", ret, 1); - case STATE4: + case STATE6: /* RECV CERTIFICATE STATUS */ if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ ret = _gnutls_recv_server_certificate_status (session); - STATE = STATE4; + STATE = STATE6; IMED_RET ("recv server certificate", ret, 1); - case STATE5: + case STATE7: + ret = run_verify_callback(session); + STATE = STATE7; + if (ret < 0) + return gnutls_assert_val(ret); + case STATE8: /* receive the server key exchange */ if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ ret = _gnutls_recv_server_kx_message (session); - STATE = STATE5; + STATE = STATE8; IMED_RET ("recv server kx message", ret, 1); - case STATE6: + case STATE9: /* receive the server certificate request - if any */ if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ ret = _gnutls_recv_server_crt_request (session); - STATE = STATE6; + STATE = STATE9; IMED_RET ("recv server certificate request message", ret, 1); - case STATE7: + case STATE10: /* receive the server hello done */ if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ ret = _gnutls_recv_handshake (session, GNUTLS_HANDSHAKE_SERVER_HELLO_DONE, 0, NULL); - STATE = STATE7; + STATE = STATE10; IMED_RET ("recv server hello done", ret, 1); - case STATE71: + case STATE11: if (session->security_parameters.do_send_supplemental) { - ret = _gnutls_send_supplemental (session, AGAIN (STATE71)); - STATE = STATE71; + ret = _gnutls_send_supplemental (session, AGAIN (STATE11)); + STATE = STATE11; IMED_RET ("send supplemental", ret, 0); } - case STATE8: + case STATE12: /* send our certificate - if any and if requested */ if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_send_client_certificate (session, AGAIN (STATE8)); - STATE = STATE8; + ret = _gnutls_send_client_certificate (session, AGAIN (STATE12)); + STATE = STATE12; IMED_RET ("send client certificate", ret, 0); - case STATE9: + case STATE13: if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ - ret = _gnutls_send_client_kx_message (session, AGAIN (STATE9)); - STATE = STATE9; + ret = _gnutls_send_client_kx_message (session, AGAIN (STATE13)); + STATE = STATE13; IMED_RET ("send client kx", ret, 0); - case STATE10: + case STATE14: /* send client certificate verify */ if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */ ret = - _gnutls_send_client_certificate_verify (session, AGAIN (STATE10)); - STATE = STATE10; + _gnutls_send_client_certificate_verify (session, AGAIN (STATE14)); + STATE = STATE14; IMED_RET ("send client certificate verify", ret, 1); STATE = STATE0; diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index fed0eef857..9c4c8502fb 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -223,8 +223,8 @@ typedef struct typedef enum handshake_state_t { STATE0 = 0, STATE1, STATE2, - STATE3, STATE4, STATE5, - STATE6, STATE7, STATE8, STATE9, STATE10, STATE11, + STATE3, STATE4, STATE5, STATE6, STATE7, STATE8, + STATE9, STATE10, STATE11, STATE12, STATE13, STATE14, STATE20 = 20, STATE21, STATE22, STATE30 = 30, STATE31, STATE40 = 40, STATE41, STATE50 = 50, STATE60 = 60, STATE61, STATE62, STATE70, STATE71