commit fe5e20fd267bae655c37ba8d67d74c0db566e088
author Matt Caswell <matt@openssl.org> Wed Feb 22 14:09:42 2017 +0000
committer Matt Caswell <matt@openssl.org> Thu Mar 02 17:44:15 2017 +0000
tree 932dedd015b78f9ff55c50df6715425808c821b4
parent 1ea4d09a3c049cd3b0748410e0c53b98082980cb

Fix changing of the cipher state when dealing with early data

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)

ssl/tls13_enc.c

diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 2dc7dad..d42be60 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -422,6 +422,16 @@
             label = client_handshake_traffic;
             labellen = sizeof(client_handshake_traffic) - 1;
             log_label = CLIENT_HANDSHAKE_LABEL;
+            /*
+             * The hanshake hash used for the server read handshake traffic
+             * secret is the same as the hash for the server write handshake
+             * traffic secret. However, if we processed early data then we delay
+             * changing the server read cipher state until later, and the
+             * handshake hashes have moved on. Therefore we use the value saved
+             * earlier when we did the server write change cipher state.
+             */
+            if (s->server)
+                hash = s->handshake_traffic_hash;
         } else {
             insecret = s->master_secret;
             label = client_application_traffic;
@@ -469,6 +479,9 @@
     if (label == server_application_traffic)
         memcpy(s->server_finished_hash, hashval, hashlen);
 
+    if (s->server && label == server_handshake_traffic)
+        memcpy(s->handshake_traffic_hash, hashval, hashlen);
+
     if (label == client_application_traffic) {
         /*
          * We also create the resumption master secret, but this time use the