Fix changing of the cipher state when dealing with early data

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

1 files changed, 13 insertions, 0 deletions

diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 2dc7dad629..d42be60c67 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -422,6 +422,16 @@ int tls13_change_cipher_state(SSL *s, int which)
             label = client_handshake_traffic;
             labellen = sizeof(client_handshake_traffic) - 1;
             log_label = CLIENT_HANDSHAKE_LABEL;
+            /*
+             * The hanshake hash used for the server read handshake traffic
+             * secret is the same as the hash for the server write handshake
+             * traffic secret. However, if we processed early data then we delay
+             * changing the server read cipher state until later, and the
+             * handshake hashes have moved on. Therefore we use the value saved
+             * earlier when we did the server write change cipher state.
+             */
+            if (s->server)
+                hash = s->handshake_traffic_hash;
         } else {
             insecret = s->master_secret;
             label = client_application_traffic;
@@ -469,6 +479,9 @@ int tls13_change_cipher_state(SSL *s, int which)
     if (label == server_application_traffic)
         memcpy(s->server_finished_hash, hashval, hashlen);
 
+    if (s->server && label == server_handshake_traffic)
+        memcpy(s->handshake_traffic_hash, hashval, hashlen);
+
     if (label == client_application_traffic) {
         /*
          * We also create the resumption master secret, but this time use the