From 01c3b768fef48bf04c442ae5669d53d4c666d159 Mon Sep 17 00:00:00 2001 From: "Henry D. Case" Date: Mon, 26 Mar 2018 17:04:10 +0100 Subject: [PATCH] (fix) Client MUST send certificate msg if requested by server --- 13.go | 11 ++++++++--- _dev/tris-testclient/client.go | 3 ++- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/13.go b/13.go index ad329d5..1ff9d04 100644 --- a/13.go +++ b/13.go @@ -220,7 +220,7 @@ CurvePreferenceLoop: // TODO: we should have 2 separated methods - one for full-handshake and the other for PSK-handshake if !c.didResume { // Server MUST NOT send CertificateRequest if authenticating with PSK - if (c.config.ClientAuth >= RequestClientCert) { + if c.config.ClientAuth >= RequestClientCert { certReq := new(certificateRequestMsg13) // extension 'signature_algorithms' MUST be specified @@ -303,6 +303,12 @@ func (hs *serverHandshakeState) readClientFinished13(hasConfirmLock bool) error // client authentication if certMsg, ok := msg.(*certificateMsg13); ok { + // (4.4.2) Client MUST send certificate msg if requested by server + if c.config.ClientAuth < RequestClientCert { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(certMsg, msg) + } + hs.keySchedule.write(certMsg.marshal()) pubKey, err := hs.processCertsFromClient13(certMsg) if err != nil { @@ -1075,6 +1081,7 @@ func (hs *clientHandshakeState) doTLS13Handshake() error { hs.keySchedule.setSecret(nil) // derive master secret appServerCipher, _ := hs.keySchedule.prepareCipher(secretApplicationServer) appClientCipher, _ := hs.keySchedule.prepareCipher(secretApplicationClient) + // TODO store initial traffic secret key for KeyUpdate GH #85 // Change outbound handshake cipher for final step c.out.setCipher(c.vers, clientCipher) @@ -1096,8 +1103,6 @@ func (hs *clientHandshakeState) doTLS13Handshake() error { return err } - // TODO store initial traffic secret key for KeyUpdate - // Handshake done, set application traffic secret c.out.setCipher(c.vers, appClientCipher) if c.hand.Len() > 0 { diff --git a/_dev/tris-testclient/client.go b/_dev/tris-testclient/client.go index d48cf12..e83f8c2 100644 --- a/_dev/tris-testclient/client.go +++ b/_dev/tris-testclient/client.go @@ -225,4 +225,5 @@ x/M73jMCgYBBge3/ugnZPE78TDL3DdefrjeYFaKhVc622eimS/MEPbkbdxh8azTM LAoibwDU1NC8/3MfOBYMe6Qklu3kjexOJrfdo0Z7Khgd9F8A4tKwslUndSSlAfKF 2rjfqabVMZMLZ2XEbA4W5JTfaZS4YYGcrjY7+i7OsnSxoYG2sb+xlQ== -----END RSA PRIVATE KEY-----` -) \ No newline at end of file +) +