diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 94a7ae6f5..b31cc2318 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3274,20 +3274,15 @@ static int ssl_parse_certificate_verify( ssl_context *ssl ) if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK || ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK || ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_PSK || - ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK ) - { - SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); - ssl->state++; - return( 0 ); - } - - if( ssl->session_negotiate->peer_cert == NULL ) + ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_PSK || + ssl->session_negotiate->peer_cert == NULL ) { SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); ssl->state++; return( 0 ); } + /* Needs to be done before read_record() to exclude current message */ ssl->handshake->calc_verify( ssl, hash ); if( ( ret = ssl_read_record( ssl ) ) != 0 ) @@ -3298,13 +3293,8 @@ static int ssl_parse_certificate_verify( ssl_context *ssl ) ssl->state++; - if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) - { - SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); - return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); - } - - if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY ) + if( ssl->in_msgtype != SSL_MSG_HANDSHAKE || + ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY ) { SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );