From: doug <doug@openbsd.org>
Date: Thu, 18 Jun 2015 22:30:47 +0000 (+0000)
Subject: Change DTLS client cert request code to match TLS.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=ba065f75ce522a82347c0e55adab232d6265d6ea;p=openbsd

Change DTLS client cert request code to match TLS.

DTLS currently doesn't check whether a client cert is expected.  This
change makes the logic in dtls1_accept() match that from ssl3_accept().
From OpenSSL commit c8d710dc5f83d69d802f941a4cc5895eb5fe3d65

input + ok jsing@ miod@
---

diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c
index 42af17e96e7..f3972ae9d07 100644
--- a/lib/libssl/d1_srvr.c
+++ b/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.53 2015/06/15 05:32:58 doug Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.54 2015/06/18 22:30:47 doug Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -476,11 +476,11 @@ dtls1_accept(SSL *s)
 				dtls1_stop_timer(s);
 				s->state = SSL3_ST_SR_CLNT_HELLO_C;
 			} else {
-				/* could be sent for a DH cert, even if we
-				 * have not asked for it :-) */
-				ret = ssl3_get_client_certificate(s);
-				if (ret <= 0)
-					goto end;
+				if (s->s3->tmp.cert_request) {
+					ret = ssl3_get_client_certificate(s);
+					if (ret <= 0)
+						goto end;
+				}
 				s->init_num = 0;
 				s->state = SSL3_ST_SR_KEY_EXCH_A;
 			}
diff --git a/lib/libssl/src/ssl/d1_srvr.c b/lib/libssl/src/ssl/d1_srvr.c
index 42af17e96e7..f3972ae9d07 100644
--- a/lib/libssl/src/ssl/d1_srvr.c
+++ b/lib/libssl/src/ssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.53 2015/06/15 05:32:58 doug Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.54 2015/06/18 22:30:47 doug Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -476,11 +476,11 @@ dtls1_accept(SSL *s)
 				dtls1_stop_timer(s);
 				s->state = SSL3_ST_SR_CLNT_HELLO_C;
 			} else {
-				/* could be sent for a DH cert, even if we
-				 * have not asked for it :-) */
-				ret = ssl3_get_client_certificate(s);
-				if (ret <= 0)
-					goto end;
+				if (s->s3->tmp.cert_request) {
+					ret = ssl3_get_client_certificate(s);
+					if (ret <= 0)
+						goto end;
+				}
 				s->init_num = 0;
 				s->state = SSL3_ST_SR_KEY_EXCH_A;
 			}