diff options
| -rw-r--r-- | ssl/statem/statem.c | 10 | ||||
| -rw-r--r-- | ssl/statem/statem.h | 1 | ||||
| -rw-r--r-- | ssl/tls13_enc.c | 2 | ||||
| -rw-r--r-- | test/tls13secretstest.c | 5 |
4 files changed, 17 insertions, 1 deletions
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index 45cb9ab092..95c369a883 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -941,3 +941,13 @@ int ossl_statem_app_data_allowed(SSL *s) return 0; } + +/* + * This function returns 1 if TLS exporter is ready to export keying + * material, or 0 if otherwise. + */ +int ossl_statem_export_allowed(SSL *s) +{ + return s->s3->previous_server_finished_len != 0 + && s->statem.hand_state != TLS_ST_SW_FINISHED; +} diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h index e8d9174b8f..3242c781e0 100644 --- a/ssl/statem/statem.h +++ b/ssl/statem/statem.h @@ -132,6 +132,7 @@ __owur int ossl_statem_skip_early_data(SSL *s); void ossl_statem_check_finish_init(SSL *s, int send); void ossl_statem_set_hello_verify_done(SSL *s); __owur int ossl_statem_app_data_allowed(SSL *s); +__owur int ossl_statem_export_allowed(SSL *s); /* Flush the write BIO */ int statem_flush(SSL *s); diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index f555df54fc..05355fb714 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -666,7 +666,7 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, unsigned int hashsize, datalen; int ret = 0; - if (ctx == NULL) + if (ctx == NULL || !ossl_statem_export_allowed(s)) goto err; if (!use_context) diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c index 16542c4481..f08b5d3722 100644 --- a/test/tls13secretstest.c +++ b/test/tls13secretstest.c @@ -212,6 +212,11 @@ void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file, { } +int ossl_statem_export_allowed(SSL *s) +{ + return 1; +} + /* End of mocked out code */ static int test_secret(SSL *s, unsigned char *prk, |