Commit 5cc807da authored by Matt Caswell's avatar Matt Caswell
Browse files

Delay flush until after CCS with early_data 



Normally we flush immediately after writing the ClientHello. However if
we are going to write a CCS immediately because we've got early_data to
come, then we should move the flush until after the CCS.

Reviewed-by: default avatarBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)
parent 7b0a3ce0

ssl/statem/extensions_clnt.c

+3 −3
Original line number Diff line number Diff line
@@ -1664,8 +1664,8 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context, 
         * TLSv1.3, therefore we shouldn't be getting an HRR for anything else.

         */

        if (version != TLS1_3_VERSION) {

            *al = SSL_AD_PROTOCOL_VERSION;

            SSLerr(SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS,

            SSLfatal(s, SSL_AD_PROTOCOL_VERSION,

                     SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS,

                     SSL_R_BAD_HRR_VERSION);

            return 0;

        }

ssl/statem/statem_clnt.c

+19 −14
Original line number Diff line number Diff line
@@ -679,28 +679,31 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) 
        break;



    case TLS_ST_CW_CLNT_HELLO:

        if (wst == WORK_MORE_A && statem_flush(s) != 1)

            return WORK_MORE_A;



        if (SSL_IS_DTLS(s)) {

            /* Treat the next message as the first packet */

            s->first_packet = 1;

        }



        if (s->early_data_state == SSL_EARLY_DATA_CONNECTING

                && s->max_early_data > 0

                && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) {

                && s->max_early_data > 0) {

            /*

             * We haven't selected TLSv1.3 yet so we don't call the change

             * cipher state function associated with the SSL_METHOD. Instead

             * we call tls13_change_cipher_state() directly.

             */

            if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) {

                if (!statem_flush(s))

                    return WORK_MORE_A;

                if (!tls13_change_cipher_state(s,

                            SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {

                    /* SSLfatal() already called */

                    return WORK_ERROR;

                }

            }

            /* else we're in compat mode so we delay flushing until after CCS */

        } else if (!statem_flush(s)) {

            return WORK_MORE_A;

        }



        if (SSL_IS_DTLS(s)) {

            /* Treat the next message as the first packet */

            s->first_packet = 1;

        }

        break;



    case TLS_ST_CW_END_OF_EARLY_DATA:
@@ -724,6 +727,8 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) 
            break;

        if (s->early_data_state == SSL_EARLY_DATA_CONNECTING

                    && s->max_early_data > 0) {

            if (statem_flush(s) != 1)

                return WORK_MORE_A;

            /*

             * We haven't selected TLSv1.3 yet so we don't call the change

             * cipher state function associated with the SSL_METHOD. Instead