From 3329b24132fc59aca54c6ed8407b4a75bc5a7fce Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Thu, 1 Jun 2017 17:03:32 +0700 Subject: Tighten up no_certificate alert handling --- crypto/src/crypto/tls/TlsServerProtocol.cs | 31 ++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/crypto/src/crypto/tls/TlsServerProtocol.cs b/crypto/src/crypto/tls/TlsServerProtocol.cs index 5f3ce18e2..298c9f42d 100644 --- a/crypto/src/crypto/tls/TlsServerProtocol.cs +++ b/crypto/src/crypto/tls/TlsServerProtocol.cs @@ -388,26 +388,37 @@ namespace Org.BouncyCastle.Crypto.Tls protected override void HandleWarningMessage(byte description) { + base.HandleWarningMessage(description); + switch (description) { case AlertDescription.no_certificate: { /* - * SSL 3.0 If the server has sent a certificate request Message, the client must Send + * SSL 3.0 If the server has sent a certificate request Message, the client must send * either the certificate message or a no_certificate alert. */ - if (TlsUtilities.IsSsl(Context) && mCertificateRequest != null) + if (TlsUtilities.IsSsl(Context) && this.mCertificateRequest != null) { - NotifyClientCertificate(Certificate.EmptyChain); + switch (this.mConnectionState) + { + case CS_SERVER_HELLO_DONE: + case CS_CLIENT_SUPPLEMENTAL_DATA: + { + if (mConnectionState < CS_CLIENT_SUPPLEMENTAL_DATA) + { + mTlsServer.ProcessClientSupplementalData(null); + } + + NotifyClientCertificate(Certificate.EmptyChain); + this.mConnectionState = CS_CLIENT_CERTIFICATE; + return; + } + } } - break; - } - default: - { - base.HandleWarningMessage(description); - break; - } + throw new TlsFatalAlert(AlertDescription.unexpected_message); } + } } protected virtual void NotifyClientCertificate(Certificate clientCertificate) -- cgit 1.4.1