Tighten up no_certificate alert handling

author: Peter Dettman <peter.dettman@bouncycastle.org> 2017-06-01 17:03:32 +0700
committer: Peter Dettman <peter.dettman@bouncycastle.org> 2017-06-01 17:03:32 +0700
commit: 3329b24132fc59aca54c6ed8407b4a75bc5a7fce (patch)
tree: 4c240012681a709f0d92144defa45ebf1159b5ca
parent: RFC 7250 Add methods to work with required extension types (diff)
download: BouncyCastle.NET-ed25519-3329b24132fc59aca54c6ed8407b4a75bc5a7fce.tar.xz
1 files changed, 21 insertions, 10 deletions
diff --git a/crypto/src/crypto/tls/TlsServerProtocol.cs b/crypto/src/crypto/tls/TlsServerProtocol.cs
index 5f3ce18e2..298c9f42d 100644
--- a/crypto/src/crypto/tls/TlsServerProtocol.cs
+++ b/crypto/src/crypto/tls/TlsServerProtocol.cs
@@ -388,26 +388,37 @@ namespace Org.BouncyCastle.Crypto.Tls
 
         protected override void HandleWarningMessage(byte description)
         {
+            base.HandleWarningMessage(description);
+
             switch (description)
             {
             case AlertDescription.no_certificate:
             {
                 /*
-                 * SSL 3.0 If the server has sent a certificate request Message, the client must Send
+                 * SSL 3.0 If the server has sent a certificate request Message, the client must send
                  * either the certificate message or a no_certificate alert.
                  */
-                if (TlsUtilities.IsSsl(Context) && mCertificateRequest != null)
+                if (TlsUtilities.IsSsl(Context) && this.mCertificateRequest != null)
                 {
-                    NotifyClientCertificate(Certificate.EmptyChain);
+                    switch (this.mConnectionState)
+                    {
+                    case CS_SERVER_HELLO_DONE:
+                    case CS_CLIENT_SUPPLEMENTAL_DATA:
+                    {
+                        if (mConnectionState < CS_CLIENT_SUPPLEMENTAL_DATA)
+                        {
+                            mTlsServer.ProcessClientSupplementalData(null);
+                        }
+
+                        NotifyClientCertificate(Certificate.EmptyChain);
+                        this.mConnectionState = CS_CLIENT_CERTIFICATE;
+                        return;
+                    }
+                    }
                 }
-                break;
-            }
-            default:
-            {
-                base.HandleWarningMessage(description);
-                break;
-            }
+                throw new TlsFatalAlert(AlertDescription.unexpected_message);
             }
+            } 
         }
 
         protected virtual void NotifyClientCertificate(Certificate clientCertificate)
author	Peter Dettman <peter.dettman@bouncycastle.org>	2017-06-01 17:03:32 +0700
committer	Peter Dettman <peter.dettman@bouncycastle.org>	2017-06-01 17:03:32 +0700
commit	3329b24132fc59aca54c6ed8407b4a75bc5a7fce (patch)
tree	4c240012681a709f0d92144defa45ebf1159b5ca
parent	RFC 7250 Add methods to work with required extension types (diff)
download	BouncyCastle.NET-ed25519-3329b24132fc59aca54c6ed8407b4a75bc5a7fce.tar.xz