diff options
author | Peter Dettman <peter.dettman@bouncycastle.org> | 2014-04-15 15:05:28 +0400 |
---|---|---|
committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2014-04-15 15:05:28 +0400 |
commit | 3efee8b0f1e67c727b0c204c45ef399a5c9c4652 (patch) | |
tree | c58655f68db40242d8b8d1e4a65882bcbad69c7c | |
parent | 56e63e21b83fe0c854db7c6c6ff8e90c68a4accb (diff) |
Explicitly fail on CertificateVerify in TLS 1.2 server
Add test coverage for known issue
3 files changed, 22 insertions, 3 deletions
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java index 9e054897..ac11b8ea 100644 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java +++ b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java @@ -475,6 +475,11 @@ public class DTLSServerProtocol TlsProtocol.assertEmpty(buf); + if (TlsUtils.isTLSv12(state.serverContext)) + { + throw new TlsFatalAlert(AlertDescription.decrypt_error); + } + // Verify the CertificateVerify message contains a correct signature. boolean verified = false; try diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java index f33ed554..257ea122 100644 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java +++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java @@ -430,6 +430,11 @@ public class TlsServerProtocol assertEmpty(buf); + if (TlsUtils.isTLSv12(getContext())) + { + throw new TlsFatalAlert(AlertDescription.decrypt_error); + } + // Verify the CertificateVerify message contains a correct signature. boolean verified = false; try diff --git a/core/src/test/java/org/bouncycastle/crypto/tls/test/TlsTestSuite.java b/core/src/test/java/org/bouncycastle/crypto/tls/test/TlsTestSuite.java index 6762a702..961932a0 100644 --- a/core/src/test/java/org/bouncycastle/crypto/tls/test/TlsTestSuite.java +++ b/core/src/test/java/org/bouncycastle/crypto/tls/test/TlsTestSuite.java @@ -1,6 +1,7 @@ package org.bouncycastle.crypto.tls.test; import org.bouncycastle.crypto.tls.AlertDescription; +import org.bouncycastle.crypto.tls.ProtocolVersion; import junit.framework.Test; import junit.framework.TestSuite; @@ -48,16 +49,24 @@ public class TlsTestSuite extends TestSuite { TlsTestConfig c = new TlsTestConfig(); c.clientAuth = C.CLIENT_AUTH_NONE; + c.serverCertReq = C.SERVER_CERT_REQ_NONE; - testSuite.addTest(new TlsTestCase(c, "GoodOptionalCertReqDeclined")); + testSuite.addTest(new TlsTestCase(c, "GoodNoCertReq")); } { TlsTestConfig c = new TlsTestConfig(); c.clientAuth = C.CLIENT_AUTH_NONE; - c.serverCertReq = C.SERVER_CERT_REQ_NONE; - testSuite.addTest(new TlsTestCase(c, "GoodServerOnlyAuthentication")); + testSuite.addTest(new TlsTestCase(c, "GoodOptionalCertReqDeclined")); + } + + { + TlsTestConfig c = new TlsTestConfig(); + c.serverMaximumVersion = ProtocolVersion.TLSv12; + c.expectServerFatalAlert(AlertDescription.decrypt_error); + + testSuite.addTest(new TlsTestCase(c, "KnownIssue_TLS12_ClientAuth_NotImpl")); } return testSuite; |