Don't calculate the Finished MAC twice

[openssl.git] / ssl / statem / statem_dtls.c

diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index 8604d5bdb2bf3de4fa2914dd61e9e240c2cba43d..0ac60cbf995cc8850b3987f5e56a3b169672527d 100644 (file)
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -376,6 +376,15 @@ int dtls_get_message(SSL *s, int *mt, size_t *len)
         msg_len += DTLS1_HM_HEADER_LENGTH;
     }
 
+    /*
+     * If receiving Finished, record MAC of prior handshake messages for
+     * Finished verification.
+     */
+    if (*mt == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
+        /* SSLfatal() already called */
+        return 0;
+    }
+
     if (!ssl3_finish_mac(s, p, msg_len))
         return 0;
     if (s->msg_callback)