diff options
| author | Matt Caswell <matt@openssl.org> | 2017-07-05 20:53:03 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2017-08-31 15:02:22 +0100 |
| commit | add8d0e9e0bb80728f4b89d15573bf2e70596ceb (patch) | |
| tree | 6cae02f58f6a3996a1288bedf14183d6a408dec8 /ssl/record | |
| parent | 177503752b24299cc97ccf07062a3b79c4f28899 (diff) | |
Enable the ability to use an external PSK for sending early_data
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)
Diffstat (limited to 'ssl/record')
| -rw-r--r-- | ssl/record/ssl3_record.c | 19 | ||||
| -rw-r--r-- | ssl/record/ssl3_record_tls13.c | 5 |
2 files changed, 18 insertions, 6 deletions
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index ae485046a4..fa7f5d94f7 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -104,15 +104,24 @@ static int ssl3_record_app_data_waiting(SSL *s) int early_data_count_ok(SSL *s, size_t length, size_t overhead, int *al) { uint32_t max_early_data = s->max_early_data; + SSL_SESSION *sess = s->session; /* * If we are a client then we always use the max_early_data from the - * session. Otherwise we go with the lowest out of the max early data set in - * the session and the configured max_early_data. + * session/psksession. Otherwise we go with the lowest out of the max early + * data set in the session and the configured max_early_data. */ - if (!s->server || (s->hit - && s->session->ext.max_early_data < s->max_early_data)) - max_early_data = s->session->ext.max_early_data; + if (!s->server && sess->ext.max_early_data == 0) { + if (!ossl_assert(s->psksession != NULL + && s->psksession->ext.max_early_data > 0)) { + SSLerr(SSL_F_EARLY_DATA_COUNT_OK, ERR_R_INTERNAL_ERROR); + return 0; + } + sess = s->psksession; + } + if (!s->server + || (s->hit && sess->ext.max_early_data < s->max_early_data)) + max_early_data = sess->ext.max_early_data; if (max_early_data == 0) { if (al != NULL) diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c index ec8f9f9e8f..0c3fc6bf16 100644 --- a/ssl/record/ssl3_record_tls13.c +++ b/ssl/record/ssl3_record_tls13.c @@ -58,7 +58,10 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) if (s->early_data_state == SSL_EARLY_DATA_WRITING || s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) { - alg_enc = s->session->cipher->algorithm_enc; + if (s->session != NULL && s->session->ext.max_early_data > 0) + alg_enc = s->session->cipher->algorithm_enc; + else + alg_enc = s->psksession->cipher->algorithm_enc; } else { /* * To get here we must have selected a ciphersuite - otherwise ctx would |