Fix parsing of CertificateRequests.
Got one of the conditions flipped.
Change-Id: I327a9c13e42865459e8d69a431b0d3a2bc6b54a5
Reviewed-on: https://boringssl-review.googlesource.com/1210
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 81849e1..77ea695 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1861,7 +1861,7 @@
goto err;
}
- if (CBS_skip(&distinguished_name, data - CBS_data(&distinguished_name)))
+ if (!CBS_skip(&distinguished_name, data - CBS_data(&distinguished_name)))
{
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_INTERNAL_ERROR);
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 3d94d1b..e025859 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -2,6 +2,7 @@
import (
"bytes"
+ "crypto/x509"
"flag"
"fmt"
"io"
@@ -530,6 +531,15 @@
}
func addClientAuthTests() {
+ // Add a dummy cert pool to stress certificate authority parsing.
+ // TODO(davidben): Add tests that those values parse out correctly.
+ certPool := x509.NewCertPool()
+ cert, err := x509.ParseCertificate(rsaCertificate.Certificate[0])
+ if err != nil {
+ panic(err)
+ }
+ certPool.AddCert(cert)
+
for _, ver := range tlsVersions {
if ver.version == VersionSSL30 {
// TODO(davidben): The Go implementation does not
@@ -553,6 +563,7 @@
MaxVersion: ver.version,
CipherSuites: cipherSuites,
ClientAuth: RequireAnyClientCert,
+ ClientCAs: certPool,
},
flags: []string{
"-cert-file", rsaCertificateFile,
@@ -567,6 +578,7 @@
MaxVersion: ver.version,
CipherSuites: cipherSuites,
ClientAuth: RequireAnyClientCert,
+ ClientCAs: certPool,
},
flags: []string{
"-cert-file", ecdsaCertificateFile,