Make SSL_write_early_finish() an internal only function

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index baeb3bb..5ec116e 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -105,6 +105,8 @@
     },
 };
 
+static int ssl_write_early_finish(SSL *s);
+
 static int dane_ctx_enable(struct dane_ctx_st *dctx)
 {
     const EVP_MD **mdevp;
@@ -1753,7 +1755,7 @@
          * We're still writing early data. We need to stop that so we can write
          * normal data
          */
-        if (!SSL_write_early_finish(s))
+        if (!ssl_write_early_finish(s))
             return 0;
     } else if (s->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY
                 || s->early_data_state == SSL_EARLY_DATA_ACCEPT_RETRY) {
@@ -1853,7 +1855,7 @@
     }
 }
 
-int SSL_write_early_finish(SSL *s)
+static int ssl_write_early_finish(SSL *s)
 {
     int ret;
 
@@ -3242,21 +3244,14 @@
         return -1;
     }
 
-    if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY
-            || s->early_data_state == SSL_EARLY_DATA_READ_RETRY) {
-        /*
-         * We skip this if we were called via SSL_read_early() or
-         * SSL_write_early()
-         */
-        if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) {
-            int edfin;
+    if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) {
+        int edfin;
 
-            edfin = SSL_write_early_finish(s);
-            if (edfin <= 0)
-                return edfin;
-        }
-        ossl_statem_set_in_init(s, 1);
+        edfin = ssl_write_early_finish(s);
+        if (edfin <= 0)
+            return edfin;
     }
+    ossl_statem_check_finish_init(s, -1);
 
     s->method->ssl_renegotiate_check(s, 0);
 
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
index 8a251ea..11cbe55 100644
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@@ -168,9 +168,21 @@
     return 1;
 }
 
+/*
+ * Called when we are in SSL_read*(), SSL_write*(), or SSL_accept()
+ * /SSL_connect()/SSL_do_handshake(). Used to test whether we are in an early
+ * data state and whether we should attempt to move the handshake on if so.
+ * |send| is 1 if we are attempting to send data (SSL_write*()), 0 if we are
+ * attempting to read data (SSL_read*()), or -1 if we are in SSL_do_handshake()
+ * or similar.
+ */
 void ossl_statem_check_finish_init(SSL *s, int send)
 {
-    if (!s->server) {
+    if (send == -1) {
+        if (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END
+                || s->statem.hand_state == TLS_ST_EARLY_DATA)
+            ossl_statem_set_in_init(s, 1);
+    } else if (!s->server) {
         if ((send && s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END
                   && s->early_data_state != SSL_EARLY_DATA_WRITING)
                 || (!send && s->statem.hand_state == TLS_ST_EARLY_DATA))