Fix bug with client auth with DTLS

This commit is contained in:
Manuel Pégourié-Gonnard 2014-09-26 10:35:50 +02:00 committed by Paul Bakker
parent d0fd1daa6b
commit 08a1d4bce1
2 changed files with 24 additions and 2 deletions

View file

@ -3454,10 +3454,10 @@ int ssl_parse_certificate( ssl_context *ssl )
if( ssl->endpoint == SSL_IS_SERVER &&
ssl->minor_ver != SSL_MINOR_VERSION_0 )
{
if( ssl->in_hslen == 7 &&
if( ssl->in_hslen == 3 + ssl_hs_hdr_len( ssl ) &&
ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
memcmp( ssl->in_msg + ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
{
SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );

View file

@ -2024,6 +2024,28 @@ run_test "DTLS cookie: enabled, IPv6" \
-c "received hello verify request" \
-S "SSL - The requested feature is not available"
# Tests for various cases of client authentication with DTLS
# (focused on handshake flows and message parsing)
run_test "DTLS client auth: required" \
"$P_SRV dtls=1 auth_mode=required" \
"$P_CLI dtls=1" \
0 \
-s "Verifying peer X.509 certificate... ok"
run_test "DTLS client auth: optional, client has no cert" \
"$P_SRV dtls=1 auth_mode=optional" \
"$P_CLI dtls=1 crt_file=none key_file=none" \
0 \
-s "! no client certificate sent"
run_test "DTLS client auth: optional, client has no cert" \
"$P_SRV dtls=1 auth_mode=none" \
"$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
0 \
-c "skip write certificate$" \
-s "! no client certificate sent"
# Tests for receiving fragmented handshake messages with DTLS
requires_gnutls