Correctly handle CertificateRequest with empty DN list in <= TLS 1.1
diff --git a/ChangeLog b/ChangeLog
index c1b6c88..701f86b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,8 @@
Bugfix
* Memory leak when using RSA_PKCS_V21 operations fixed
* Handle future version properly in ssl_write_certificate_request()
+ * Correctly handle CertificateRequest message in client for <= TLS 1.1
+ without DN list
= Version 1.2.3 released 2012-11-26
Bugfix
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index a716710..42ddf41 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -894,7 +894,7 @@
{
int ret;
unsigned char *buf, *p;
- size_t n = 0;
+ size_t n = 0, m = 0;
size_t cert_type_len = 0, sig_alg_len = 0, dn_len = 0;
SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
@@ -976,6 +976,7 @@
| ( buf[6 + n] ) );
p = buf + 7 + n;
+ m += 2;
n += sig_alg_len;
if( ssl->in_hslen < 6 + n )
@@ -985,11 +986,11 @@
}
}
- dn_len = ( ( buf[7 + n] << 8 )
- | ( buf[8 + n] ) );
+ dn_len = ( ( buf[5 + m + n] << 8 )
+ | ( buf[6 + m + n] ) );
n += dn_len;
- if( ssl->in_hslen != 9 + n )
+ if( ssl->in_hslen != 7 + m + n )
{
SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
