← Back to branch summary

~ubuntu-branches/ubuntu/trusty/gnutls26/trusty

« back to all changes in this revision

Viewing changes to lib/gnutls_kx.c

  • Committer: Package Import Robot
  • Author(s): Andreas Metzler
  • Date: 2011-10-01 15:28:13 UTC
  • mfrom: (12.1.20 sid)
  • Revision ID: package-import@ubuntu.com-20111001152813-yygm1c4cxonfxhzy
http://bugs.debian.org/640639
* New upstream version.
  + Allow CA importing of 0 certificates to succeed. Closes: #640639
* Add libp11-kit-dev to libgnutls-dev dependencies. (see #643811)
* [20_guiledocstring.diff] guile: Fix docstring extraction with CPP 4.5+.

Show diffs side-by-side

added added

removed removed

Lines of Context:
lib/gnutls_kx.c
38
38
#include <gnutls_state.h>
39
39
#include <gnutls_datum.h>
40
40
#include <gnutls_rsa_export.h>
 
41
#include <gnutls_mbuffers.h>
 
42
#include "../libextra/ext_inner_application.h"  /* isn't this too much? */
 
43
 
 
44
/* This is a temporary function to be used before the generate_*
 
45
   internal API is changed to use mbuffers. For now we don't avoid the
 
46
   extra alloc + memcpy. */
 
47
static inline int
 
48
send_handshake (gnutls_session_t session, opaque * data, size_t size,
 
49
                gnutls_handshake_description_t type)
 
50
{
 
51
  mbuffer_st *bufel;
 
52
 
 
53
  if (data == NULL && size == 0)
 
54
    return _gnutls_send_handshake (session, NULL, type);
 
55
 
 
56
  if (data == NULL && size > 0)
 
57
    {
 
58
      gnutls_assert ();
 
59
      return GNUTLS_E_INVALID_REQUEST;
 
60
    }
 
61
 
 
62
  bufel = _gnutls_handshake_alloc (size, size);
 
63
  if (bufel == NULL)
 
64
    {
 
65
      gnutls_assert ();
 
66
      return GNUTLS_E_MEMORY_ERROR;
 
67
    }
 
68
 
 
69
  _mbuffer_set_udata (bufel, data, size);
 
70
 
 
71
  return _gnutls_send_handshake (session, bufel, type);
 
72
}
 
73
 
41
74
 
42
75
/* This file contains important thing for the TLS handshake procedure.
43
76
 */
63
96
  char buf[512];
64
97
 
65
98
  _gnutls_hard_log ("INT: PREMASTER SECRET[%d]: %s\n", PREMASTER.size,
66
 
                    _gnutls_bin2hex (PREMASTER.data, PREMASTER.size, buf,
67
 
                                     sizeof (buf)));
 
99
                    _gnutls_bin2hex (PREMASTER.data, PREMASTER.size, buf,
 
100
                                     sizeof (buf), NULL));
68
101
  _gnutls_hard_log ("INT: CLIENT RANDOM[%d]: %s\n", 32,
69
 
                    _gnutls_bin2hex (session->
70
 
                                     security_parameters.client_random, 32,
71
 
                                     buf, sizeof (buf)));
 
102
                    _gnutls_bin2hex (session->
 
103
                                     security_parameters.client_random, 32,
 
104
                                     buf, sizeof (buf), NULL));
72
105
  _gnutls_hard_log ("INT: SERVER RANDOM[%d]: %s\n", 32,
73
 
                    _gnutls_bin2hex (session->
74
 
                                     security_parameters.server_random, 32,
75
 
                                     buf, sizeof (buf)));
 
106
                    _gnutls_bin2hex (session->
 
107
                                     security_parameters.server_random, 32,
 
108
                                     buf, sizeof (buf), NULL));
76
109
 
77
110
  if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
78
111
    {
79
112
      opaque rnd[2 * GNUTLS_RANDOM_SIZE + 1];
80
113
 
81
114
      memcpy (rnd, session->security_parameters.client_random,
82
 
              GNUTLS_RANDOM_SIZE);
 
115
              GNUTLS_RANDOM_SIZE);
83
116
      memcpy (&rnd[GNUTLS_RANDOM_SIZE],
84
 
              session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
 
117
              session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
85
118
 
86
119
      ret =
87
 
        _gnutls_ssl3_generate_random (PREMASTER.data, PREMASTER.size,
88
 
                                      rnd, 2 * GNUTLS_RANDOM_SIZE,
89
 
                                      GNUTLS_MASTER_SIZE,
90
 
                                      session->
91
 
                                      security_parameters.master_secret);
92
 
 
93
 
    }
94
 
  else if (session->security_parameters.extensions.oprfi_client_len > 0 &&
95
 
           session->security_parameters.extensions.oprfi_server_len > 0)
96
 
    {
97
 
      opaque *rnd;
98
 
      size_t rndlen = 2 * GNUTLS_RANDOM_SIZE;
99
 
 
100
 
      rndlen += session->security_parameters.extensions.oprfi_client_len;
101
 
      rndlen += session->security_parameters.extensions.oprfi_server_len;
102
 
 
103
 
      rnd = gnutls_malloc (rndlen + 1);
104
 
      if (!rnd)
105
 
        {
106
 
          gnutls_assert ();
107
 
          return GNUTLS_E_MEMORY_ERROR;
108
 
        }
109
 
 
110
 
      _gnutls_hard_log ("INT: CLIENT OPRFI[%d]: %s\n",
111
 
                        session->security_parameters.extensions.
112
 
                        oprfi_server_len,
113
 
                        _gnutls_bin2hex (session->
114
 
                                         security_parameters.extensions.
115
 
                                         oprfi_client,
116
 
                                         session->
117
 
                                         security_parameters.extensions.
118
 
                                         oprfi_client_len, buf,
119
 
                                         sizeof (buf)));
120
 
      _gnutls_hard_log ("INT: SERVER OPRFI[%d]: %s\n",
121
 
                        session->security_parameters.extensions.
122
 
                        oprfi_server_len,
123
 
                        _gnutls_bin2hex (session->
124
 
                                         security_parameters.extensions.
125
 
                                         oprfi_server,
126
 
                                         session->
127
 
                                         security_parameters.extensions.
128
 
                                         oprfi_server_len, buf,
129
 
                                         sizeof (buf)));
130
 
 
131
 
      memcpy (rnd, session->security_parameters.client_random,
132
 
              GNUTLS_RANDOM_SIZE);
133
 
      memcpy (rnd + GNUTLS_RANDOM_SIZE,
134
 
              session->security_parameters.extensions.oprfi_client,
135
 
              session->security_parameters.extensions.oprfi_client_len);
136
 
      memcpy (rnd + GNUTLS_RANDOM_SIZE +
137
 
              session->security_parameters.extensions.oprfi_client_len,
138
 
              session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
139
 
      memcpy (rnd + GNUTLS_RANDOM_SIZE +
140
 
              session->security_parameters.extensions.oprfi_client_len +
141
 
              GNUTLS_RANDOM_SIZE,
142
 
              session->security_parameters.extensions.oprfi_server,
143
 
              session->security_parameters.extensions.oprfi_server_len);
144
 
 
145
 
      ret = _gnutls_PRF (session, PREMASTER.data, PREMASTER.size,
146
 
                         MASTER_SECRET, strlen (MASTER_SECRET),
147
 
                         rnd, rndlen, GNUTLS_MASTER_SIZE,
148
 
                         session->security_parameters.master_secret);
149
 
 
150
 
      gnutls_free (rnd);
 
120
        _gnutls_ssl3_generate_random (PREMASTER.data, PREMASTER.size,
 
121
                                      rnd, 2 * GNUTLS_RANDOM_SIZE,
 
122
                                      GNUTLS_MASTER_SIZE,
 
123
                                      session->
 
124
                                      security_parameters.master_secret);
 
125
 
151
126
    }
152
127
  else
153
128
    {
154
129
      opaque rnd[2 * GNUTLS_RANDOM_SIZE + 1];
155
130
 
156
131
      memcpy (rnd, session->security_parameters.client_random,
157
 
              GNUTLS_RANDOM_SIZE);
 
132
              GNUTLS_RANDOM_SIZE);
158
133
      memcpy (&rnd[GNUTLS_RANDOM_SIZE],
159
 
              session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
 
134
              session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
160
135
 
161
136
      ret =
162
 
        _gnutls_PRF (session, PREMASTER.data, PREMASTER.size,
163
 
                     MASTER_SECRET, strlen (MASTER_SECRET),
164
 
                     rnd, 2 * GNUTLS_RANDOM_SIZE, GNUTLS_MASTER_SIZE,
165
 
                     session->security_parameters.master_secret);
 
137
        _gnutls_PRF (session, PREMASTER.data, PREMASTER.size,
 
138
                     MASTER_SECRET, strlen (MASTER_SECRET),
 
139
                     rnd, 2 * GNUTLS_RANDOM_SIZE, GNUTLS_MASTER_SIZE,
 
140
                     session->security_parameters.master_secret);
166
141
    }
167
142
 
168
143
  /* TLS/IA inner secret is derived from the master secret. */
169
 
  memcpy (session->security_parameters.inner_secret,
170
 
          session->security_parameters.master_secret, GNUTLS_MASTER_SIZE);
 
144
  _gnutls_ia_derive_inner_secret (session);
171
145
 
172
146
  if (!keep_premaster)
173
147
    _gnutls_free_datum (&PREMASTER);
176
150
    return ret;
177
151
 
178
152
  _gnutls_hard_log ("INT: MASTER SECRET: %s\n",
179
 
                    _gnutls_bin2hex (session->
180
 
                                     security_parameters.master_secret,
181
 
                                     GNUTLS_MASTER_SIZE, buf, sizeof (buf)));
 
153
                    _gnutls_bin2hex (session->
 
154
                                     security_parameters.master_secret,
 
155
                                     GNUTLS_MASTER_SIZE, buf, sizeof (buf),
 
156
                                     NULL));
182
157
 
183
158
  return ret;
184
159
}
204
179
  if (again == 0)
205
180
    {
206
181
      data_size =
207
 
        session->internals.auth_struct->gnutls_generate_server_kx (session,
208
 
                                                                   &data);
 
182
        session->internals.auth_struct->gnutls_generate_server_kx (session,
 
183
                                                                   &data);
209
184
 
210
185
      if (data_size == GNUTLS_E_INT_RET_0)
211
 
        {
212
 
          gnutls_assert ();
213
 
          return 0;
214
 
        }
 
186
        {
 
187
          gnutls_assert ();
 
188
          return 0;
 
189
        }
215
190
 
216
191
      if (data_size < 0)
217
 
        {
218
 
          gnutls_assert ();
219
 
          return data_size;
220
 
        }
 
192
        {
 
193
          gnutls_assert ();
 
194
          return data_size;
 
195
        }
221
196
    }
222
197
 
223
 
  ret =
224
 
    _gnutls_send_handshake (session, data, data_size,
225
 
                            GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE);
 
198
  ret = send_handshake (session, data, data_size,
 
199
                        GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE);
226
200
  gnutls_free (data);
227
201
 
228
202
  if (ret < 0)
256
230
  if (again == 0)
257
231
    {
258
232
      data_size =
259
 
        session->internals.
260
 
        auth_struct->gnutls_generate_server_certificate_request (session,
261
 
                                                                 &data);
 
233
        session->internals.
 
234
        auth_struct->gnutls_generate_server_certificate_request (session,
 
235
                                                                 &data);
262
236
 
263
237
      if (data_size < 0)
264
 
        {
265
 
          gnutls_assert ();
266
 
          return data_size;
267
 
        }
 
238
        {
 
239
          gnutls_assert ();
 
240
          return data_size;
 
241
        }
268
242
    }
269
 
  ret =
270
 
    _gnutls_send_handshake (session, data, data_size,
271
 
                            GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST);
 
243
  ret = send_handshake (session, data, data_size,
 
244
                        GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST);
272
245
  gnutls_free (data);
273
246
 
274
247
  if (ret < 0)
300
273
  if (again == 0)
301
274
    {
302
275
      data_size =
303
 
        session->internals.auth_struct->gnutls_generate_client_kx (session,
304
 
                                                                   &data);
 
276
        session->internals.auth_struct->gnutls_generate_client_kx (session,
 
277
                                                                   &data);
305
278
      if (data_size < 0)
306
 
        {
307
 
          gnutls_assert ();
308
 
          return data_size;
309
 
        }
 
279
        {
 
280
          gnutls_assert ();
 
281
          return data_size;
 
282
        }
310
283
    }
311
 
  ret =
312
 
    _gnutls_send_handshake (session, data, data_size,
313
 
                            GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE);
 
284
  ret = send_handshake (session, data, data_size,
 
285
                        GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE);
314
286
  gnutls_free (data);
315
287
 
316
288
  if (ret < 0)
347
319
      NULL)
348
320
    {
349
321
      gnutls_assert ();
350
 
      return 0;                 /* this algorithm does not support cli_cert_vrfy 
351
 
                                 */
 
322
      return 0;                 /* this algorithm does not support cli_cert_vrfy 
 
323
                                 */
352
324
    }
353
325
 
354
326
  data = NULL;
357
329
  if (again == 0)
358
330
    {
359
331
      data_size =
360
 
        session->internals.
361
 
        auth_struct->gnutls_generate_client_cert_vrfy (session, &data);
 
332
        session->internals.
 
333
        auth_struct->gnutls_generate_client_cert_vrfy (session, &data);
362
334
      if (data_size < 0)
363
 
        {
364
 
          gnutls_assert ();
365
 
          return data_size;
366
 
        }
 
335
        {
 
336
          gnutls_assert ();
 
337
          return data_size;
 
338
        }
367
339
      if (data_size == 0)
368
 
        return 0;
 
340
        return 0;
369
341
 
370
342
    }
371
 
  ret =
372
 
    _gnutls_send_handshake (session, data,
373
 
                            data_size, GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY);
 
343
  ret = send_handshake (session, data, data_size,
 
344
                        GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY);
374
345
  gnutls_free (data);
375
346
 
376
347
  return ret;
391
362
      /* EXCEPTION FOR RSA_EXPORT cipher suite 
392
363
       */
393
364
      if (_gnutls_session_is_export (session) != 0 &&
394
 
          _gnutls_peers_cert_less_512 (session) != 0)
395
 
        {
396
 
          gnutls_assert ();
397
 
          return 0;
398
 
        }
 
365
          _gnutls_peers_cert_less_512 (session) != 0)
 
366
        {
 
367
          gnutls_assert ();
 
368
          return 0;
 
369
        }
399
370
 
400
371
      /* Server key exchange packet is optional for PSK. */
401
372
      if (_gnutls_session_is_psk (session))
402
 
        optflag = OPTIONAL_PACKET;
 
373
        optflag = OPTIONAL_PACKET;
403
374
 
404
375
      ret =
405
 
        _gnutls_recv_handshake (session, &data,
406
 
                                &datasize,
407
 
                                GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE,
408
 
                                optflag);
 
376
        _gnutls_recv_handshake (session, &data,
 
377
                                &datasize,
 
378
                                GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE,
 
379
                                optflag);
409
380
      if (ret < 0)
410
 
        {
411
 
          gnutls_assert ();
412
 
          return ret;
413
 
        }
 
381
        {
 
382
          gnutls_assert ();
 
383
          return ret;
 
384
        }
414
385
 
415
386
      ret =
416
 
        session->internals.auth_struct->gnutls_process_server_kx (session,
417
 
                                                                  data,
418
 
                                                                  datasize);
 
387
        session->internals.auth_struct->gnutls_process_server_kx (session,
 
388
                                                                  data,
 
389
                                                                  datasize);
419
390
      gnutls_free (data);
420
391
 
421
392
      if (ret < 0)
422
 
        {
423
 
          gnutls_assert ();
424
 
          return ret;
425
 
        }
 
393
        {
 
394
          gnutls_assert ();
 
395
          return ret;
 
396
        }
426
397
 
427
398
    }
428
399
  return ret;
440
411
    {
441
412
 
442
413
      ret =
443
 
        _gnutls_recv_handshake (session, &data,
444
 
                                &datasize,
445
 
                                GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST,
446
 
                                OPTIONAL_PACKET);
 
414
        _gnutls_recv_handshake (session, &data,
 
415
                                &datasize,
 
416
                                GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST,
 
417
                                OPTIONAL_PACKET);
447
418
      if (ret < 0)
448
 
        return ret;
 
419
        return ret;
449
420
 
450
421
      if (ret == 0 && datasize == 0)
451
 
        return 0;               /* ignored */
 
422
        return 0;               /* ignored */
452
423
 
453
424
      ret =
454
 
        session->internals.
455
 
        auth_struct->gnutls_process_server_certificate_request (session, data,
456
 
                                                                datasize);
 
425
        session->internals.
 
426
        auth_struct->gnutls_process_server_certificate_request (session, data,
 
427
                                                                datasize);
457
428
      gnutls_free (data);
458
429
      if (ret < 0)
459
 
        return ret;
 
430
        return ret;
460
431
 
461
432
    }
462
433
  return ret;
475
446
    {
476
447
 
477
448
      ret =
478
 
        _gnutls_recv_handshake (session, &data,
479
 
                                &datasize,
480
 
                                GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE,
481
 
                                MANDATORY_PACKET);
 
449
        _gnutls_recv_handshake (session, &data,
 
450
                                &datasize,
 
451
                                GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE,
 
452
                                MANDATORY_PACKET);
482
453
      if (ret < 0)
483
 
        return ret;
 
454
        return ret;
484
455
 
485
456
      ret =
486
 
        session->internals.auth_struct->gnutls_process_client_kx (session,
487
 
                                                                  data,
488
 
                                                                  datasize);
 
457
        session->internals.auth_struct->gnutls_process_client_kx (session,
 
458
                                                                  data,
 
459
                                                                  datasize);
489
460
      gnutls_free (data);
490
461
      if (ret < 0)
491
 
        return ret;
 
462
        return ret;
492
463
 
493
464
    }
494
465
 
519
490
  if (again == 0)
520
491
    {
521
492
      if (gnutls_protocol_get_version (session) != GNUTLS_SSL3 ||
522
 
          session->internals.selected_cert_list_length > 0)
523
 
        {
524
 
          /* TLS 1.0 or SSL 3.0 with a valid certificate 
525
 
           */
526
 
          data_size =
527
 
            session->internals.
528
 
            auth_struct->gnutls_generate_client_certificate (session, &data);
 
493
          session->internals.selected_cert_list_length > 0)
 
494
        {
 
495
          /* TLS 1.0 or SSL 3.0 with a valid certificate 
 
496
           */
 
497
          data_size =
 
498
            session->internals.
 
499
            auth_struct->gnutls_generate_client_certificate (session, &data);
529
500
 
530
 
          if (data_size < 0)
531
 
            {
532
 
              gnutls_assert ();
533
 
              return data_size;
534
 
            }
535
 
        }
 
501
          if (data_size < 0)
 
502
            {
 
503
              gnutls_assert ();
 
504
              return data_size;
 
505
            }
 
506
        }
536
507
    }
537
508
 
538
509
  /* In the SSL 3.0 protocol we need to send a
543
514
      session->internals.selected_cert_list_length == 0)
544
515
    {
545
516
      ret =
546
 
        gnutls_alert_send (session, GNUTLS_AL_WARNING,
547
 
                           GNUTLS_A_SSL3_NO_CERTIFICATE);
 
517
        gnutls_alert_send (session, GNUTLS_AL_WARNING,
 
518
                           GNUTLS_A_SSL3_NO_CERTIFICATE);
548
519
 
549
520
    }
550
521
  else
551
 
    {                           /* TLS 1.0 or SSL 3.0 with a valid certificate 
552
 
                                 */
553
 
      ret =
554
 
        _gnutls_send_handshake (session, data, data_size,
555
 
                                GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
 
522
    {                           /* TLS 1.0 or SSL 3.0 with a valid certificate 
 
523
                                 */
 
524
      ret = send_handshake (session, data, data_size,
 
525
                            GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
556
526
      gnutls_free (data);
557
527
    }
558
528
 
586
556
  if (again == 0)
587
557
    {
588
558
      data_size =
589
 
        session->internals.
590
 
        auth_struct->gnutls_generate_server_certificate (session, &data);
 
559
        session->internals.
 
560
        auth_struct->gnutls_generate_server_certificate (session, &data);
591
561
 
592
562
      if (data_size < 0)
593
 
        {
594
 
          gnutls_assert ();
595
 
          return data_size;
596
 
        }
 
563
        {
 
564
          gnutls_assert ();
 
565
          return data_size;
 
566
        }
597
567
    }
598
 
  ret =
599
 
    _gnutls_send_handshake (session, data, data_size,
600
 
                            GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
 
568
  ret = send_handshake (session, data, data_size,
 
569
                        GNUTLS_HANDSHAKE_CERTIFICATE_PKT);
601
570
  gnutls_free (data);
602
571
 
603
572
  if (ret < 0)
625
594
      /* if we have not requested a certificate then just return
626
595
       */
627
596
      if (session->internals.send_cert_req == 0)
628
 
        {
629
 
          return 0;
630
 
        }
 
597
        {
 
598
          return 0;
 
599
        }
631
600
 
632
601
      if (session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
633
 
        optional = MANDATORY_PACKET;
 
602
        optional = MANDATORY_PACKET;
634
603
      else
635
 
        optional = OPTIONAL_PACKET;
 
604
        optional = OPTIONAL_PACKET;
636
605
 
637
606
      ret =
638
 
        _gnutls_recv_handshake (session, &data,
639
 
                                &datasize,
640
 
                                GNUTLS_HANDSHAKE_CERTIFICATE_PKT, optional);
 
607
        _gnutls_recv_handshake (session, &data,
 
608
                                &datasize,
 
609
                                GNUTLS_HANDSHAKE_CERTIFICATE_PKT, optional);
641
610
 
642
611
      if (ret < 0)
643
 
        {
644
 
          /* Handle the case of old SSL3 clients who send
645
 
           * a warning alert instead of an empty certificate to indicate
646
 
           * no certificate.
647
 
           */
648
 
          if (optional == OPTIONAL_PACKET &&
649
 
              ret == GNUTLS_E_WARNING_ALERT_RECEIVED &&
650
 
              gnutls_protocol_get_version (session) == GNUTLS_SSL3 &&
651
 
              gnutls_alert_get (session) == GNUTLS_A_SSL3_NO_CERTIFICATE)
652
 
            {
653
 
 
654
 
              /* SSL3 does not send an empty certificate,
655
 
               * but this alert. So we just ignore it.
656
 
               */
657
 
              gnutls_assert ();
658
 
              return 0;
659
 
            }
660
 
 
661
 
          /* certificate was required 
662
 
           */
663
 
          if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED
664
 
               || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
665
 
              && optional == MANDATORY_PACKET)
666
 
            {
667
 
              gnutls_assert ();
668
 
              return GNUTLS_E_NO_CERTIFICATE_FOUND;
669
 
            }
670
 
 
671
 
          return ret;
672
 
        }
 
612
        {
 
613
          /* Handle the case of old SSL3 clients who send
 
614
           * a warning alert instead of an empty certificate to indicate
 
615
           * no certificate.
 
616
           */
 
617
          if (optional == OPTIONAL_PACKET &&
 
618
              ret == GNUTLS_E_WARNING_ALERT_RECEIVED &&
 
619
              gnutls_protocol_get_version (session) == GNUTLS_SSL3 &&
 
620
              gnutls_alert_get (session) == GNUTLS_A_SSL3_NO_CERTIFICATE)
 
621
            {
 
622
 
 
623
              /* SSL3 does not send an empty certificate,
 
624
               * but this alert. So we just ignore it.
 
625
               */
 
626
              gnutls_assert ();
 
627
              return 0;
 
628
            }
 
629
 
 
630
          /* certificate was required 
 
631
           */
 
632
          if ((ret == GNUTLS_E_WARNING_ALERT_RECEIVED
 
633
               || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
 
634
              && optional == MANDATORY_PACKET)
 
635
            {
 
636
              gnutls_assert ();
 
637
              return GNUTLS_E_NO_CERTIFICATE_FOUND;
 
638
            }
 
639
 
 
640
          return ret;
 
641
        }
673
642
 
674
643
      if (ret == 0 && datasize == 0 && optional == OPTIONAL_PACKET)
675
 
        {
676
 
          /* Client has not sent the certificate message.
677
 
           * well I'm not sure we should accept this
678
 
           * behaviour.
679
 
           */
680
 
          gnutls_assert ();
681
 
          return 0;
682
 
        }
 
644
        {
 
645
          /* Client has not sent the certificate message.
 
646
           * well I'm not sure we should accept this
 
647
           * behaviour.
 
648
           */
 
649
          gnutls_assert ();
 
650
          return 0;
 
651
        }
683
652
      ret =
684
 
        session->internals.
685
 
        auth_struct->gnutls_process_client_certificate (session, data,
686
 
                                                        datasize);
 
653
        session->internals.
 
654
        auth_struct->gnutls_process_client_certificate (session, data,
 
655
                                                        datasize);
687
656
 
688
657
      gnutls_free (data);
689
658
      if (ret < 0 && ret != GNUTLS_E_NO_CERTIFICATE_FOUND)
690
 
        {
691
 
          gnutls_assert ();
692
 
          return ret;
693
 
        }
 
659
        {
 
660
          gnutls_assert ();
 
661
          return ret;
 
662
        }
694
663
 
695
664
      /* ok we should expect a certificate verify message now 
696
665
       */
697
666
      if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional == OPTIONAL_PACKET)
698
 
        ret = 0;
 
667
        ret = 0;
699
668
      else
700
 
        session->key->certificate_requested = 1;
 
669
        session->key->certificate_requested = 1;
701
670
 
702
671
    }
703
672
 
716
685
    {
717
686
 
718
687
      ret =
719
 
        _gnutls_recv_handshake (session, &data,
720
 
                                &datasize,
721
 
                                GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
722
 
                                MANDATORY_PACKET);
 
688
        _gnutls_recv_handshake (session, &data,
 
689
                                &datasize,
 
690
                                GNUTLS_HANDSHAKE_CERTIFICATE_PKT,
 
691
                                MANDATORY_PACKET);
723
692
      if (ret < 0)
724
 
        {
725
 
          gnutls_assert ();
726
 
          return ret;
727
 
        }
 
693
        {
 
694
          gnutls_assert ();
 
695
          return ret;
 
696
        }
728
697
 
729
698
      ret =
730
 
        session->internals.
731
 
        auth_struct->gnutls_process_server_certificate (session, data,
732
 
                                                        datasize);
 
699
        session->internals.
 
700
        auth_struct->gnutls_process_server_certificate (session, data,
 
701
                                                        datasize);
733
702
      gnutls_free (data);
734
703
      if (ret < 0)
735
 
        {
736
 
          gnutls_assert ();
737
 
          return ret;
738
 
        }
 
704
        {
 
705
          gnutls_assert ();
 
706
          return ret;
 
707
        }
739
708
    }
740
709
 
741
710
  return ret;
757
726
    {
758
727
 
759
728
      if (session->internals.send_cert_req == 0 ||
760
 
          session->key->certificate_requested == 0)
761
 
        {
762
 
          return 0;
763
 
        }
 
729
          session->key->certificate_requested == 0)
 
730
        {
 
731
          return 0;
 
732
        }
764
733
 
765
734
      ret =
766
 
        _gnutls_recv_handshake (session, &data,
767
 
                                &datasize,
768
 
                                GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY,
769
 
                                OPTIONAL_PACKET);
 
735
        _gnutls_recv_handshake (session, &data,
 
736
                                &datasize,
 
737
                                GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY,
 
738
                                OPTIONAL_PACKET);
770
739
      if (ret < 0)
771
 
        return ret;
 
740
        return ret;
772
741
 
773
742
      if (ret == 0 && datasize == 0
774
 
          && session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
775
 
        {
776
 
          /* certificate was required */
777
 
          gnutls_assert ();
778
 
          return GNUTLS_E_NO_CERTIFICATE_FOUND;
779
 
        }
 
743
          && session->internals.send_cert_req == GNUTLS_CERT_REQUIRE)
 
744
        {
 
745
          /* certificate was required */
 
746
          gnutls_assert ();
 
747
          return GNUTLS_E_NO_CERTIFICATE_FOUND;
 
748
        }
780
749
 
781
750
      ret =
782
 
        session->internals.
783
 
        auth_struct->gnutls_process_client_cert_vrfy (session, data,
784
 
                                                      datasize);
 
751
        session->internals.
 
752
        auth_struct->gnutls_process_client_cert_vrfy (session, data,
 
753
                                                      datasize);
785
754
      gnutls_free (data);
786
755
      if (ret < 0)
787
 
        return ret;
 
756
        return ret;
788
757
 
789
758
    }
790
759