diff options
-rw-r--r-- | lib/ssl/ssl3con.c | 47 |
1 files changed, 29 insertions, 18 deletions
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c index 9e68b6e66..fad5f39ef 100644 --- a/lib/ssl/ssl3con.c +++ b/lib/ssl/ssl3con.c @@ -9538,21 +9538,32 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) * get one when it is allowed, but otherwise we just carry on. */ if (ss->ssl3.hs.ws == wait_certificate_status) { - /* We must process any CertificateStatus message before we call - * ssl3_AuthCertificate, as ssl3_AuthCertificate needs any stapled OCSP - * response we get. - */ - if (ss->ssl3.hs.msg_type == certificate_status) { - rv = ssl3_HandleCertificateStatus(ss, b, length); - if (rv != SECSuccess) - return rv; - } + /* We must process any CertificateStatus message before we call + * ssl3_AuthCertificate, as ssl3_AuthCertificate needs any stapled + * OCSP response we get. + */ + if (ss->ssl3.hs.msg_type == certificate_status) { + rv = ssl3_HandleCertificateStatus(ss, b, length); + if (rv != SECSuccess) + return rv; + if (IS_DTLS(ss)) { + /* Increment the expected sequence number */ + ss->ssl3.hs.recvMessageSeq++; + } + } - /* Regardless of whether we got a CertificateStatus message, we must - * authenticate the cert before we handle any more handshake messages. - */ - rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */ - } else switch (ss->ssl3.hs.msg_type) { + /* Regardless of whether we got a CertificateStatus message, we must + * authenticate the cert before we handle any more handshake messages. + */ + rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */ + + if (rv != SECSuccess || ss->ssl3.hs.msg_type == certificate_status) { + PORT_Assert(rv == SECFailure); /* Not SECWouldBlock */ + return rv; + } + } + + switch (ss->ssl3.hs.msg_type) { case hello_request: if (length != 0) { (void)ssl3_DecodeError(ss); @@ -9594,10 +9605,10 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) rv = ssl3_HandleCertificate(ss, b, length); break; case certificate_status: - /* The good case is handled above */ - PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS); - rv = SECFailure; - break; + /* The good case is handled above */ + (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); + PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS); + return SECFailure; case server_key_exchange: if (ss->sec.isServer) { (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |