tls13: early data: Improve, add comments
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 5644f08..2aae32e 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -2074,7 +2074,8 @@
* namely mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(),
* mbedtls_ssl_read() or mbedtls_ssl_write() may return with the error code
* MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA indicating that some early data have
- * been received. To read the early data, call mbedtls_ssl_read_early_data().
+ * been received. To read the early data, call mbedtls_ssl_read_early_data()
+ * before calling the original function again.
*
* \warning This interface is experimental and may change without notice.
*
@@ -5124,7 +5125,7 @@
*
* \note This API is server specific.
*
- * \note Early data is defined in the TLS 1.3 specification, RFC 8446.
+ * \warning Early data is defined in the TLS 1.3 specification, RFC 8446.
* IMPORTANT NOTE from section 2.3 of the specification:
*
* The security properties for 0-RTT data are weaker than
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 3547f67..20501c9 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -5873,6 +5873,10 @@
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
+ /*
+ * The server may receive early data only while waiting for the End of
+ * Early Data handshake message.
+ */
if ((ssl->state != MBEDTLS_SSL_END_OF_EARLY_DATA) ||
(ssl->in_offt == NULL)) {
return MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA;