Delay flush until after CCS with early_data

Normally we flush immediately after writing the ClientHello. However if we are going to write a CCS immediately because we've got early_data to come, then we should move the flush until after the CCS. Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4701)
author: Matt Caswell <matt@openssl.org> 2017-11-30 11:28:26 +0000
committer: Matt Caswell <matt@openssl.org> 2017-12-14 15:06:38 +0000
commit: 5cc807da2571c52cc7c1c87197a81963def7ee3a (patch)
tree: c1f93c160ba832949cc0732980ade7bf97e7dec7 /ssl/statem/statem_clnt.c
parent: 7b0a3ce0f9f54cf7b527fe57d98748a7aaa571bd (diff)
1 files changed, 19 insertions, 14 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 80148fa531..6313b31a08 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -679,27 +679,30 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
         break;
 
     case TLS_ST_CW_CLNT_HELLO:
-        if (wst == WORK_MORE_A && statem_flush(s) != 1)
-            return WORK_MORE_A;
-
-        if (SSL_IS_DTLS(s)) {
-            /* Treat the next message as the first packet */
-            s->first_packet = 1;
-        }
-
         if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
-                && s->max_early_data > 0
-                && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) {
+                && s->max_early_data > 0) {
             /*
              * We haven't selected TLSv1.3 yet so we don't call the change
              * cipher state function associated with the SSL_METHOD. Instead
              * we call tls13_change_cipher_state() directly.
              */
-            if (!tls13_change_cipher_state(s,
-                        SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
-                /* SSLfatal() already called */
-                return WORK_ERROR;
+            if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) {
+                if (!statem_flush(s))
+                    return WORK_MORE_A;
+                if (!tls13_change_cipher_state(s,
+                            SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
+                    /* SSLfatal() already called */
+                    return WORK_ERROR;
+                }
             }
+            /* else we're in compat mode so we delay flushing until after CCS */
+        } else if (!statem_flush(s)) {
+            return WORK_MORE_A;
+        }
+
+        if (SSL_IS_DTLS(s)) {
+            /* Treat the next message as the first packet */
+            s->first_packet = 1;
         }
         break;
 
@@ -724,6 +727,8 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
             break;
         if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
                     && s->max_early_data > 0) {
+            if (statem_flush(s) != 1)
+                return WORK_MORE_A;
             /*
              * We haven't selected TLSv1.3 yet so we don't call the change
              * cipher state function associated with the SSL_METHOD. Instead
author	Matt Caswell <matt@openssl.org>	2017-11-30 11:28:26 +0000
committer	Matt Caswell <matt@openssl.org>	2017-12-14 15:06:38 +0000
commit	5cc807da2571c52cc7c1c87197a81963def7ee3a (patch)
tree	c1f93c160ba832949cc0732980ade7bf97e7dec7 /ssl/statem/statem_clnt.c
parent	7b0a3ce0f9f54cf7b527fe57d98748a7aaa571bd (diff)