handshake: use hsk_flags in TLS1.2 and TLS1.3

author Nikos Mavrogiannopoulos <nmav@redhat.com>

Tue, 7 Nov 2017 14:36:01 +0000 (15:36 +0100)

committer Nikos Mavrogiannopoulos <nmav@redhat.com>

Mon, 19 Feb 2018 14:29:36 +0000 (15:29 +0100)
author Nikos Mavrogiannopoulos <nmav@redhat.com>
Tue, 7 Nov 2017 14:36:01 +0000 (15:36 +0100)
committer Nikos Mavrogiannopoulos <nmav@redhat.com>
Mon, 19 Feb 2018 14:29:36 +0000 (15:29 +0100)
diff --git a/lib/auth/cert.c b/lib/auth/cert.c

index 7c6b631a1d3b07c3a2840dee1e48a340098d7b3a..6d618a3532778a4a64014e335a3ecf95caca6078 100644 (file)
--- a/lib/auth/cert.c
+++ b/lib/auth/cert.c
@@ -977,7 +977,7 @@ _gnutls_proc_cert_cert_req(gnutls_session_t session, uint8_t * data,
         /* We should reply with a certificate message, 
          * even if we have no certificate to send.
          */
-       session->internals.crt_requested = 1;
+       session->internals.hsk_flags |= HSK_CRT_ASKED;
  
         /* now we ask the user to tell which one
          * he wants to use.
diff --git a/lib/cert-session.c b/lib/cert-session.c

index 1ba55fa448ac8ee146e73cc222f32ddb0b12e9ec..e7a529a96a8b3883047b2c79bdd43bacf54ac4ea 100644 (file)
--- a/lib/cert-session.c
+++ b/lib/cert-session.c
@@ -117,9 +117,10 @@ const gnutls_datum_t *gnutls_certificate_get_peers(gnutls_session_t
   * Returns: 0 if the peer (server) did not request client
   *   authentication or 1 otherwise.
   **/
-int gnutls_certificate_client_get_request_status(gnutls_session_t session)
+unsigned
+gnutls_certificate_client_get_request_status(gnutls_session_t session)
  {
-       return session->internals.crt_requested;
+       return (session->internals.hsk_flags & HSK_CRT_ASKED)?1:0;
  }
  
  /**
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h

index 4a02ddbae1c97993626e4d901f2745e55d4b6ad3..68ca48dcc32b7bebd36ba921f8073c2ec7391018 100644 (file)
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -1145,14 +1145,9 @@ typedef struct {
  #define HSK_CRT_REQ_SENT (1<<5)
  #define HSK_CRT_REQ_GOT_SIG_ALGO (1<<6)
  #define HSK_KEY_UPDATE_ASKED (1<<7) /* flag is not used during handshake */
-       unsigned hsk_flags; /* TLS1.3 only */
+       unsigned hsk_flags;
         time_t last_key_update;
  
-       unsigned crt_requested; /* 1 if client auth was requested (i.e., client cert).
-        * In case of a server this holds 1 if we should wait
-        * for a client certificate verify
-        */
-
         gnutls_buffer_st hb_local_data;
         gnutls_buffer_st hb_remote_data;
         struct timespec hb_ping_start;  /* timestamp: when first HeartBeat ping was sent */
@@ -1168,6 +1163,7 @@ typedef struct {
  
         recv_state_t recv_state;        /* state of the receive function */
  
+       /* if set, server and client random were set by the application */
         bool sc_random_set;
  
         unsigned flags; /* the flags in gnutls_init() */
diff --git a/lib/handshake.c b/lib/handshake.c

index f7c68534168db16dfdeb313ebbe09297fb4cbeaf..559e115528563017ce7c892db7f48bdf32e72ae8 100644 (file)
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -2394,7 +2394,7 @@ int gnutls_handshake(gnutls_session_t session)
                         return gnutls_assert_val(ret);
  
                 session->internals.used_exts = 0;
-               session->internals.crt_requested = 0;
+               session->internals.hsk_flags = 0;
                 session->internals.handshake_in_progress = 1;
                 session->internals.vc_status = -1;
                 gettime(&session->internals.handshake_start_time);
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in

index cddc3d434859795553993532eef78b3429ccd5ce..5be740374bc9b77d7295be05a5cb4e8f07921471 100644 (file)
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -2432,7 +2432,7 @@ int gnutls_certificate_get_peers_subkey_id(gnutls_session_t session,
  time_t gnutls_certificate_activation_time_peers(gnutls_session_t session);
  time_t gnutls_certificate_expiration_time_peers(gnutls_session_t session);
  
-int gnutls_certificate_client_get_request_status(gnutls_session_t session);
+unsigned gnutls_certificate_client_get_request_status(gnutls_session_t session);
  int gnutls_certificate_verify_peers2(gnutls_session_t session,
                                      unsigned int *status);
  int gnutls_certificate_verify_peers3(gnutls_session_t session,
diff --git a/lib/kx.c b/lib/kx.c

index b7602a5c67aee1ca2873aa107b33fd91caf2d86b..cf27db98f0e0c741ab03e849e7f43a4c1d86b17d 100644 (file)
--- a/lib/kx.c
+++ b/lib/kx.c
@@ -341,7 +341,7 @@ _gnutls_send_client_certificate_verify(gnutls_session_t session, int again)
  
         /* if certificate verify is not needed just exit 
          */
-       if (session->internals.crt_requested == 0)
+       if (!(session->internals.hsk_flags & HSK_CRT_ASKED))
                 return 0;
  
  
@@ -387,7 +387,7 @@ int _gnutls_send_client_certificate(gnutls_session_t session, int again)
         int ret = 0;
         mbuffer_st *bufel = NULL;
  
-       if (session->internals.crt_requested == 0)
+       if (!(session->internals.hsk_flags & HSK_CRT_ASKED))
                 return 0;
  
         if (session->internals.auth_struct->
@@ -661,7 +661,7 @@ int _gnutls_recv_client_certificate(gnutls_session_t session)
         if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional != 0)
                 ret = 0;
         else
-               session->internals.crt_requested = 1;
+               session->internals.hsk_flags |= HSK_CRT_VRFY_EXPECTED;
  
        cleanup:
         _gnutls_buffer_clear(&buf);
@@ -715,7 +715,7 @@ _gnutls_recv_client_certificate_verify_message(gnutls_session_t session)
                 return 0;
  
         if (session->internals.send_cert_req == 0 ||
-           session->internals.crt_requested == 0) {
+           (!(session->internals.hsk_flags & HSK_CRT_VRFY_EXPECTED))) {
                 return 0;
         }
  
diff --git a/lib/state.c b/lib/state.c

index 889b3190c0c9886845e0f0632936d7b0c8f86b72..09fd4784943ce60db05d5288f32b4b4ee265eede 100644 (file)
--- a/lib/state.c
+++ b/lib/state.c
@@ -223,7 +223,6 @@ static void handshake_internal_state_clear1(gnutls_session_t session)
         session->internals.cand_ec_group = 0;
         session->internals.cand_dh_group = 0;
  
-       session->internals.hsk_flags = 0;
         session->internals.hrr_cs[0] = CS_INVALID_MAJOR;
         session->internals.hrr_cs[1] = CS_INVALID_MINOR;
  }
diff --git a/lib/tls13/certificate_request.c b/lib/tls13/certificate_request.c

index 42ba3c40559766d6989281cef265bdf15c9a5be1..252762033a74345483a1ed01bd1beac81f71b8e6 100644 (file)
--- a/lib/tls13/certificate_request.c
+++ b/lib/tls13/certificate_request.c
@@ -156,7 +156,7 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, gnutls_buff
                 goto cleanup;
         }
  
-       session->internals.crt_requested = 1;
+       session->internals.hsk_flags |= HSK_CRT_ASKED;
  
         ret = _gnutls_select_client_cert(session, ctx.rdn, ctx.rdn_size,
                                          ctx.pk_algos, ctx.pk_algos_length);
@@ -165,8 +165,6 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, gnutls_buff
                 goto cleanup;
         }
  
-       session->internals.hsk_flags |= HSK_CRT_ASKED;
-
         ret = 0;
  
   cleanup:
author	Nikos Mavrogiannopoulos <nmav@redhat.com>
	Tue, 7 Nov 2017 14:36:01 +0000 (15:36 +0100)
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>
	Mon, 19 Feb 2018 14:29:36 +0000 (15:29 +0100)
lib/auth/cert.c		patch \| blob \| blame \| history
lib/cert-session.c		patch \| blob \| blame \| history
lib/gnutls_int.h		patch \| blob \| blame \| history
lib/handshake.c		patch \| blob \| blame \| history
lib/includes/gnutls/gnutls.h.in		patch \| blob \| blame \| history
lib/kx.c		patch \| blob \| blame \| history
lib/state.c		patch \| blob \| blame \| history
lib/tls13/certificate_request.c		patch \| blob \| blame \| history