diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 71c1536102..c43f8a7fc8 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -1445,6 +1445,18 @@ struct quic_handshake_wait_args { QUIC_CONNECTION *qc; }; +static int tls_wants_non_io_retry(QUIC_CONNECTION *qc) +{ + int want = SSL_want(qc->tls); + + if (want == SSL_X509_LOOKUP + || want == SSL_CLIENT_HELLO_CB + || want == SSL_RETRY_VERIFY) + return 1; + + return 0; +} + static int quic_handshake_wait(void *arg) { struct quic_handshake_wait_args *args = arg; @@ -1455,6 +1467,9 @@ static int quic_handshake_wait(void *arg) if (ossl_quic_channel_is_handshake_complete(args->qc->ch)) return 1; + if (tls_wants_non_io_retry(args->qc)) + return 1; + return 0; } @@ -1680,10 +1695,20 @@ static int quic_do_handshake(QCTX *ctx) return -1; /* Non-protocol error */ } + if (tls_wants_non_io_retry(qc)) { + QUIC_RAISE_NORMAL_ERROR(ctx, SSL_get_error(qc->tls, 0)); + return -1; + } + assert(ossl_quic_channel_is_handshake_complete(qc->ch)); return 1; } + if (tls_wants_non_io_retry(qc)) { + QUIC_RAISE_NORMAL_ERROR(ctx, SSL_get_error(qc->tls, 0)); + return -1; + } + /* * Otherwise, indicate that the handshake isn't done yet. * We can only get here in non-blocking mode. @@ -2069,6 +2094,9 @@ static int error_to_want(int error) case SSL_ERROR_WANT_WRITE: return SSL_WRITING; + case SSL_ERROR_WANT_RETRY_VERIFY: + return SSL_RETRY_VERIFY; + case SSL_ERROR_WANT_CLIENT_HELLO_CB: return SSL_CLIENT_HELLO_CB; diff --git a/ssl/quic/quic_tls.c b/ssl/quic/quic_tls.c index b0da216e37..ff4c8dac0b 100644 --- a/ssl/quic/quic_tls.c +++ b/ssl/quic/quic_tls.c @@ -798,6 +798,9 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls) switch (err) { case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: + case SSL_ERROR_WANT_CLIENT_HELLO_CB: + case SSL_ERROR_WANT_X509_LOOKUP: + case SSL_ERROR_WANT_RETRY_VERIFY: ERR_pop_to_mark(); return 1;