Fix bug with client auth with DTLS
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 333e58e..603d169 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3454,10 +3454,10 @@
if( ssl->endpoint == SSL_IS_SERVER &&
ssl->minor_ver != SSL_MINOR_VERSION_0 )
{
- if( ssl->in_hslen == 7 &&
+ if( ssl->in_hslen == 3 + ssl_hs_hdr_len( ssl ) &&
ssl->in_msgtype == SSL_MSG_HANDSHAKE &&
ssl->in_msg[0] == SSL_HS_CERTIFICATE &&
- memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
+ memcmp( ssl->in_msg + ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
{
SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 2078ccd..10fd04d 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2024,6 +2024,28 @@
-c "received hello verify request" \
-S "SSL - The requested feature is not available"
+# Tests for various cases of client authentication with DTLS
+# (focused on handshake flows and message parsing)
+
+run_test "DTLS client auth: required" \
+ "$P_SRV dtls=1 auth_mode=required" \
+ "$P_CLI dtls=1" \
+ 0 \
+ -s "Verifying peer X.509 certificate... ok"
+
+run_test "DTLS client auth: optional, client has no cert" \
+ "$P_SRV dtls=1 auth_mode=optional" \
+ "$P_CLI dtls=1 crt_file=none key_file=none" \
+ 0 \
+ -s "! no client certificate sent"
+
+run_test "DTLS client auth: optional, client has no cert" \
+ "$P_SRV dtls=1 auth_mode=none" \
+ "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
+ 0 \
+ -c "skip write certificate$" \
+ -s "! no client certificate sent"
+
# Tests for receiving fragmented handshake messages with DTLS
requires_gnutls