From: Adam Langley <agl@golang.org>
Date: Mon, 19 Mar 2012 16:34:35 +0000 (-0400)
Subject: crypto/tls: always send a Certificate message if one was requested.
X-Git-Tag: weekly.2012-03-22~43
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=aa1d4170a4f586bf2d9c68097f049977146bd31c;p=gostls13.git

crypto/tls: always send a Certificate message if one was requested.

If a CertificateRequest is received we have to reply with a
Certificate message, even if we don't have a certificate to offer.

Fixes #3339.

R=golang-dev, r, ality
CC=golang-dev
https://golang.org/cl/5845067
---

diff --git a/src/pkg/crypto/tls/handshake_client.go b/src/pkg/crypto/tls/handshake_client.go
index 266eb8f578..2877f17387 100644
--- a/src/pkg/crypto/tls/handshake_client.go
+++ b/src/pkg/crypto/tls/handshake_client.go
@@ -166,8 +166,11 @@ func (c *Conn) clientHandshake() error {
 	}
 
 	var certToSend *Certificate
+	var certRequested bool
 	certReq, ok := msg.(*certificateRequestMsg)
 	if ok {
+		certRequested = true
+
 		// RFC 4346 on the certificateAuthorities field:
 		// A list of the distinguished names of acceptable certificate
 		// authorities. These distinguished names may specify a desired
@@ -238,9 +241,14 @@ func (c *Conn) clientHandshake() error {
 	}
 	finishedHash.Write(shd.marshal())
 
-	if certToSend != nil {
+	// If the server requested a certificate then we have to send a
+	// Certificate message, even if it's empty because we don't have a
+	// certificate to send.
+	if certRequested {
 		certMsg = new(certificateMsg)
-		certMsg.certificates = certToSend.Certificate
+		if certToSend != nil {
+			certMsg.certificates = certToSend.Certificate
+		}
 		finishedHash.Write(certMsg.marshal())
 		c.writeRecord(recordTypeHandshake, certMsg.marshal())
 	}