Check epoch for early data

wolfSSL · Nov 4, 2024 · 5bc3915 · 5bc3915
1 parent 1078deb
commit 5bc3915
Showing 1 changed file with 14 additions and 8 deletions.
diff --git a/src/internal.c b/src/internal.c
@@ -20641,19 +20641,25 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx, int sniff)
 #ifdef HAVE_LIBZ
     byte   decomp[MAX_RECORD_SIZE + MAX_COMP_EXTRA];
 #endif
+#ifdef WOLFSSL_EARLY_DATA
+    int    isEarlyData = ssl->options.tls1_3 &&
+                         ssl->options.handShakeDone == 0 &&
+                         ssl->options.side == WOLFSSL_SERVER_END;
+    int    acceptEarlyData = ssl->earlyData != no_early_data &&
+                         ssl->options.clientState == CLIENT_HELLO_COMPLETE;
+#endif
 
+#if defined(WOLFSSL_EARLY_DATA) && defined(WOLFSSL_DTLS13)
+    if (ssl->options.tls1_3 && ssl->options.dtls)
+        isEarlyData = isEarlyData && w64Equal(ssl->keys.curEpoch64,
+                w64From32(0x0, DTLS13_EPOCH_EARLYDATA));
+#endif
 
 #ifdef WOLFSSL_EARLY_DATA
-    if (ssl->options.tls1_3 && ssl->options.handShakeDone == 0 &&
-            ssl->options.side == WOLFSSL_SERVER_END &&
-            ssl->earlyData != no_early_data &&
-            ssl->options.clientState == CLIENT_HELLO_COMPLETE) {
+    if (isEarlyData && acceptEarlyData) {
         WOLFSSL_MSG("Processing EarlyData");
     }
-    else if (ssl->options.tls1_3 && ssl->options.handShakeDone == 0 &&
-            ssl->options.side == WOLFSSL_SERVER_END &&
-            !(ssl->earlyData != no_early_data &&
-              ssl->options.clientState == CLIENT_HELLO_COMPLETE)) {
+    else if (isEarlyData && !acceptEarlyData) {
         WOLFSSL_MSG("Ignoring EarlyData!");
         *inOutIdx += ssl->curSize;
         if (*inOutIdx > ssl->buffers.inputBuffer.length)