diff options
author | Matt Caswell <matt@openssl.org> | 2017-11-30 11:28:26 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-12-14 15:06:38 +0000 |
commit | 5cc807da2571c52cc7c1c87197a81963def7ee3a (patch) | |
tree | c1f93c160ba832949cc0732980ade7bf97e7dec7 /ssl | |
parent | 7b0a3ce0f9f54cf7b527fe57d98748a7aaa571bd (diff) | |
download | openssl-5cc807da2571c52cc7c1c87197a81963def7ee3a.tar.gz |
Delay flush until after CCS with early_data
Normally we flush immediately after writing the ClientHello. However if
we are going to write a CCS immediately because we've got early_data to
come, then we should move the flush until after the CCS.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/statem/extensions_clnt.c | 6 | ||||
-rw-r--r-- | ssl/statem/statem_clnt.c | 33 |
2 files changed, 22 insertions, 17 deletions
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index f357396d81..2b3945970f 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -1664,9 +1664,9 @@ int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context, * TLSv1.3, therefore we shouldn't be getting an HRR for anything else. */ if (version != TLS1_3_VERSION) { - *al = SSL_AD_PROTOCOL_VERSION; - SSLerr(SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS, - SSL_R_BAD_HRR_VERSION); + SSLfatal(s, SSL_AD_PROTOCOL_VERSION, + SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS, + SSL_R_BAD_HRR_VERSION); return 0; } return 1; diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 80148fa531..6313b31a08 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -679,27 +679,30 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) break; case TLS_ST_CW_CLNT_HELLO: - if (wst == WORK_MORE_A && statem_flush(s) != 1) - return WORK_MORE_A; - - if (SSL_IS_DTLS(s)) { - /* Treat the next message as the first packet */ - s->first_packet = 1; - } - if (s->early_data_state == SSL_EARLY_DATA_CONNECTING - && s->max_early_data > 0 - && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) { + && s->max_early_data > 0) { /* * We haven't selected TLSv1.3 yet so we don't call the change * cipher state function associated with the SSL_METHOD. Instead * we call tls13_change_cipher_state() directly. */ - if (!tls13_change_cipher_state(s, - SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { - /* SSLfatal() already called */ - return WORK_ERROR; + if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) { + if (!statem_flush(s)) + return WORK_MORE_A; + if (!tls13_change_cipher_state(s, + SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { + /* SSLfatal() already called */ + return WORK_ERROR; + } } + /* else we're in compat mode so we delay flushing until after CCS */ + } else if (!statem_flush(s)) { + return WORK_MORE_A; + } + + if (SSL_IS_DTLS(s)) { + /* Treat the next message as the first packet */ + s->first_packet = 1; } break; @@ -724,6 +727,8 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) break; if (s->early_data_state == SSL_EARLY_DATA_CONNECTING && s->max_early_data > 0) { + if (statem_flush(s) != 1) + return WORK_MORE_A; /* * We haven't selected TLSv1.3 yet so we don't call the change * cipher state function associated with the SSL_METHOD. Instead |