The Contiki-NG TinyDTLS client proceeds in a handshake after receiving two distinct CertificateRequest messages. A similar issue was posted for eclipse's TinyDTLS. Below is the capture of the non-conforming behavior taken on my machine. Note that the CertificateRequest messages are distinct (their message_seq differs). Hence the client should have rejected the second CertificateRequest and not proceeded with the handshake.
Steps to Reproduce
I attached files necessary for reproduction using DTLS-Fuzzer, a Java-based tool for testing DTLS libraries. Also included in the archive is a capture of the interaction show above. DTLS-Fuzzer requires the JDK for Java 8. On Ubuntu, this can be installed by running:
sudo apt-get install openjdk-8-jdk
Unpack the archive, cd to resulting folder and run bash reproduce.sh, while running an instance of Wireshark on the side. The reproduction script will:
setup Contiki-NG TinyDTLS and DTLS-Fuzzer
launch the TinyDTLS client using the 'tests/dtls-client utility;
launch DTLS-Fuzzer to execute the input sequence 'test_sequence' which exposes the bug.
Non-conformance bug
The Contiki-NG TinyDTLS client proceeds in a handshake after receiving two distinct CertificateRequest messages. A similar issue was posted for eclipse's TinyDTLS. Below is the capture of the non-conforming behavior taken on my machine. Note that the CertificateRequest messages are distinct (their message_seq differs). Hence the client should have rejected the second CertificateRequest and not proceeded with the handshake.
Steps to Reproduce I attached files necessary for reproduction using DTLS-Fuzzer, a Java-based tool for testing DTLS libraries. Also included in the archive is a capture of the interaction show above. DTLS-Fuzzer requires the JDK for Java 8. On Ubuntu, this can be installed by running:
sudo apt-get install openjdk-8-jdk
Unpack the archive,
cd
to resulting folder and runbash reproduce.sh
, while running an instance of Wireshark on the side. The reproduction script will:Thanks!
reproduction.tar.gz