Tolerate encrypted or plaintext alerts

[openssl.git] / ssl / record / ssl3_record_tls13.c

diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c
index cbf6a652e7050c06f0fa91f9eea50caa3f817715..a11ed483e6682b559bdd35f429eed532f29ca9bf 100644 (file)
--- a/ssl/record/ssl3_record_tls13.c
+++ b/ssl/record/ssl3_record_tls13.c
@@ -52,10 +52,13 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
         seq = RECORD_LAYER_get_read_sequence(&s->rlayer);
     }
 
-    if (ctx == NULL
-            || (rec->type == SSL3_RT_ALERT
-                && s->statem.enc_write_state
-                   == ENC_WRITE_STATE_WRITE_PLAIN_ALERTS)) {
+    /*
+     * If we're sending an alert and ctx != NULL then we must be forcing
+     * plaintext alerts. If we're reading and ctx != NULL then we allow
+     * plaintext alerts at certain points in the handshake. If we've got this
+     * far then we have already validated that a plaintext alert is ok here.
+     */
+    if (ctx == NULL || rec->type == SSL3_RT_ALERT) {
         memmove(rec->data, rec->input, rec->length);
         rec->input = rec->data;
         return 1;