]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c967dc7)
Make similar changes to dtls1_do_write() for dtls1.3 as in ssl3_do_write() for tls1.3
authorFrederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>
Mon, 16 Oct 2023 08:43:17 +0000 (10:43 +0200)
committerTomas Mraz <tomas@openssl.org>
Thu, 9 Jan 2025 16:02:19 +0000 (17:02 +0100)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22360)

ssl/statem/statem_dtls.c patch | blob | blame | history

diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index b583e312d994a62104d98ebc9b6b20067d5f49de..ccffe02c226efd9af0275afd7833c1e6363c3a08 100644 (file)
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -288,9 +288,19 @@ int dtls1_do_write(SSL_CONNECTION *s, uint8_t type)
                     p += DTLS1_HM_HEADER_LENGTH;
                     xlen = written - DTLS1_HM_HEADER_LENGTH;
                 }
-
-                if (!ssl3_finish_mac(s, p, xlen))
-                    return -1;
+                /*
+                 * should not be done for 'Hello Request's, but in that case we'll
+                 * ignore the result anyway
+                 * DTLS1.3 KeyUpdate and NewSessionTicket do not need to be added
+                 */
+                if (!SSL_CONNECTION_IS_DTLS13(s)
+                    || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
+                        && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
+                        && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE)) {
+                    if (!ssl3_finish_mac(s, p, xlen)) {
+                        return -1;
+                    }
+                }
             }
 
             if (written == s->init_num) {
Mirror of https://github.com/openssl/openssl.git