diff options
| author | Matt Caswell <matt@openssl.org> | 2022-09-16 17:34:40 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2022-10-12 15:53:31 +0100 |
| commit | 2c50d7fb06e34c5ab562bf890c49cc00cbd52a56 (patch) | |
| tree | 40186d7b6b878a9e22bdf93bfd0fde941210238f /ssl/statem | |
| parent | ef917549f5867d269d359155ff67b8ccb5e66a76 (diff) | |
| download | openssl-new-2c50d7fb06e34c5ab562bf890c49cc00cbd52a56.tar.gz | |
Convert the TLSv1.3 crypto code to the new write record layer
We also clean up some of the KTLS code while we are doing it now that all
users of KTLS have been moved to the new write record layer.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19343)
Diffstat (limited to 'ssl/statem')
| -rw-r--r-- | ssl/statem/statem_clnt.c | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index d07c45879c..516aaf3984 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -682,6 +682,22 @@ WORK_STATE ossl_statem_client_pre_work(SSL_CONNECTION *s, WORK_STATE wst) /* SSLfatal() already called */ return WORK_ERROR; } + } else if (s->ext.early_data == SSL_EARLY_DATA_REJECTED) { + /* + * This must be a second ClientHello after an HRR following an + * earlier rejected attempt to send early data. Since we were + * previously encrypting the early data we now need to reset the + * write record layer in order to write in plaintext again. + */ + if (!ssl_set_new_record_layer(s, + TLS_ANY_VERSION, + OSSL_RECORD_DIRECTION_WRITE, + OSSL_RECORD_PROTECTION_LEVEL_NONE, + NULL, 0, NULL, 0, NULL, 0, NULL, 0, + NID_undef, NULL, NULL)) { + /* SSLfatal already called */ + return WORK_ERROR; + } } break; @@ -767,15 +783,6 @@ WORK_STATE ossl_statem_client_post_work(SSL_CONNECTION *s, WORK_STATE wst) } break; - case TLS_ST_CW_END_OF_EARLY_DATA: - /* - * We set the enc_write_ctx back to NULL because we may end up writing - * in cleartext again if we get a HelloRetryRequest from the server. - */ - EVP_CIPHER_CTX_free(s->enc_write_ctx); - s->enc_write_ctx = NULL; - break; - case TLS_ST_CW_KEY_EXCH: if (tls_client_key_exchange_post_work(s) == 0) { /* SSLfatal() already called */ |