Fix error codes for unsolicited compressed certificate

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c
index 4059db38decc002959e568293e2027d945f2f285..a9e7c312b5aef3ba9f3a76484cf3c13d2288a61a 100644 (file)
--- a/lib/tls13/certificate.c
+++ b/lib/tls13/certificate.c
@@ -60,7 +60,11 @@ int _gnutls13_recv_certificate(gnutls_session_t session)
        if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET) {
                /* check if we received compressed certificate */
                err = _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_COMPRESSED_CERTIFICATE_PKT, 0, &buf);
-               if (err >= 0 && (session->internals.hsk_flags & HSK_COMP_CRT_REQ_SENT)) {
+               if (err >= 0) {
+                       /* fail if we receive unsolicited compressed certificate */
+                       if (!(session->internals.hsk_flags & HSK_COMP_CRT_REQ_SENT))
+                               return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
+
                        decompress_cert = 1;
                        ret = err;
                }