* In TLSv1.3 we have some post-processing to change cipher state, otherwise
* we're done with this message
*/
- if (SSL_CONNECTION_IS_TLS13(s)
- && (!ssl->method->ssl3_enc->setup_key_block(s)
+ if (SSL_CONNECTION_IS_TLS13(s)) {
+ if (!ssl->method->ssl3_enc->setup_key_block(s)
|| !ssl->method->ssl3_enc->change_cipher_state(s,
- SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) {
- /* SSLfatal() already called */
- goto err;
+ SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
+ /*
+ * If we're not doing early-data and we're not going to send a dummy CCS
+ * (i.e. no middlebox compat mode) then we can change the write keys
+ * immediately. Otherwise we have to defer this until after all possible
+ * early data is written. We could just alway defer until the last
+ * moment except QUIC needs it done at the same time as the read keys
+ * are changed. Since QUIC doesn't do TLS early data or need middlebox
+ * compat this doesn't cause a problem.
+ */
+ if (s->early_data_state == SSL_EARLY_DATA_NONE
+ && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0
+ && !ssl->method->ssl3_enc->change_cipher_state(s,
+ SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
}
OPENSSL_free(extensions);
return CON_FUNC_ERROR;
}
+ /*
+ * If we attempted to write early data or we're in middlebox compat mode
+ * then we deferred changing the handshake write keys to the last possible
+ * moment. We need to do it now.
+ */
if (SSL_CONNECTION_IS_TLS13(s)
&& SSL_IS_FIRST_HANDSHAKE(s)
+ && (s->early_data_state != SSL_EARLY_DATA_NONE
+ || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
&& (!ssl->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {
/*
|| !WPACKET_close(pkt))
goto err;
+ /*
+ * If we attempted to write early data or we're in middlebox compat mode
+ * then we deferred changing the handshake write keys to the last possible
+ * moment. We need to do it now.
+ */
if (SSL_IS_FIRST_HANDSHAKE(sc)
+ && (sc->early_data_state != SSL_EARLY_DATA_NONE
+ || (sc->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
&& (!ssl->method->ssl3_enc->change_cipher_state(sc,
SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {
/*
s->statem.cleanuphand = 1;
/*
- * We only change the keys if we didn't already do this when we sent the
- * client certificate
+ * If we attempted to write early data or we're in middlebox compat mode
+ * then we deferred changing the handshake write keys to the last possible
+ * moment. If we didn't already do this when we sent the client certificate
+ * then we need to do it now.
*/
if (SSL_CONNECTION_IS_TLS13(s)
&& !s->server
+ && (s->early_data_state != SSL_EARLY_DATA_NONE
+ || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
&& s->s3.tmp.cert_req == 0
&& (!ssl->method->ssl3_enc->change_cipher_state(s,
SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
------------------
No extensions
+Sent Frame: Ack (without ECN)
+ Largest acked: 0
+ Ack delay (raw) 0
+ Ack range count: 0
+ First ack range: 0
Sent Frame: Ack (without ECN)
Largest acked: 0
Ack delay (raw) 0
Version: 0x00000001
Destination Conn Id: 0x????????????????
Source Conn Id: <zero length id>
- Payload length: 1178
+ Payload length: 1137
Token: <zero length token>
Packet Number: 0x00000001
+
Sent Datagram
Length: 1200
Received Datagram
Destination Conn Id: 0x????????????????
Source Conn Id: <zero length id>
Payload length: 60
- Packet Number: 0x00000000
+ Packet Number: 0x00000001
Sent Datagram
Length: 81
projects / thirdparty / openssl.git / commitdiff
