From 08a1d4bce1f2662cc08af43fa1947a1e47ef6bee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 26 Sep 2014 10:35:50 +0200 Subject: [PATCH] Fix bug with client auth with DTLS --- library/ssl_tls.c | 4 ++-- tests/ssl-opt.sh | 22 ++++++++++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 333e58e2c..603d1691a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3454,10 +3454,10 @@ int ssl_parse_certificate( ssl_context *ssl ) if( ssl->endpoint == SSL_IS_SERVER && ssl->minor_ver != SSL_MINOR_VERSION_0 ) { - if( ssl->in_hslen == 7 && + if( ssl->in_hslen == 3 + ssl_hs_hdr_len( ssl ) && ssl->in_msgtype == SSL_MSG_HANDSHAKE && ssl->in_msg[0] == SSL_HS_CERTIFICATE && - memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 ) + memcmp( ssl->in_msg + ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 ) { SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 2078ccdca..10fd04d49 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2024,6 +2024,28 @@ run_test "DTLS cookie: enabled, IPv6" \ -c "received hello verify request" \ -S "SSL - The requested feature is not available" +# Tests for various cases of client authentication with DTLS +# (focused on handshake flows and message parsing) + +run_test "DTLS client auth: required" \ + "$P_SRV dtls=1 auth_mode=required" \ + "$P_CLI dtls=1" \ + 0 \ + -s "Verifying peer X.509 certificate... ok" + +run_test "DTLS client auth: optional, client has no cert" \ + "$P_SRV dtls=1 auth_mode=optional" \ + "$P_CLI dtls=1 crt_file=none key_file=none" \ + 0 \ + -s "! no client certificate sent" + +run_test "DTLS client auth: optional, client has no cert" \ + "$P_SRV dtls=1 auth_mode=none" \ + "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \ + 0 \ + -c "skip write certificate$" \ + -s "! no client certificate sent" + # Tests for receiving fragmented handshake messages with DTLS requires_gnutls