diff options
author | Matt Caswell <matt@openssl.org> | 2017-11-30 14:29:28 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-12-14 15:06:38 +0000 |
commit | 75259b4346a1a786b4a23987123b18b674327b8d (patch) | |
tree | cdc1cc99c703c26c1b8b6dbc4c6b551ab683e530 /ssl | |
parent | 5cc807da2571c52cc7c1c87197a81963def7ee3a (diff) |
Fix server side HRR flushing
Flush following the CCS after an HRR. Only flush the HRR if middlebox
compat is turned off.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/statem/statem_srvr.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 4f0487cc0f..249ee403fe 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -740,7 +740,8 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) case TLS_ST_SW_SRVR_HELLO: if (SSL_IS_TLS13(s) && s->hello_retry_request == SSL_HRR_PENDING) { - if (statem_flush(s) != 1) + if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0 + && statem_flush(s) != 1) return WORK_MORE_A; break; } @@ -777,8 +778,11 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) /* Fall through */ case TLS_ST_SW_CHANGE: - if (s->hello_retry_request == SSL_HRR_PENDING) + if (s->hello_retry_request == SSL_HRR_PENDING) { + if (!statem_flush(s)) + return WORK_MORE_A; break; + } /* * TODO(TLS1.3): This actually causes a problem. We don't yet know * whether the next record we are going to receive is an unencrypted |