Fix server side HRR flushing

Flush following the CCS after an HRR. Only flush the HRR if middlebox compat is turned off. Reviewed-by: N Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4701)

Fix server side HRR flushing
Flush following the CCS after an HRR. Only flush the HRR if middlebox compat is turned off. Reviewed-by: N Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4701)
75259b43 · Matt Caswell · 5cc807da · 75259b43
隐藏空白更改
内联并排

Showing with 6 addition and 2 deletion

ssl/statem/statem_srvr.c ssl/statem/statem_srvr.c +6 -2

未找到文件。
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -740,7 +740,8 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)

    case TLS_ST_SW_SRVR_HELLO:
        if (SSL_IS_TLS13(s) && s->hello_retry_request == SSL_HRR_PENDING) {
-            if (statem_flush(s) != 1)
+            if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0
+                    && statem_flush(s) != 1)
                return WORK_MORE_A;
            break;
        }
@@ -777,8 +778,11 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
        /* Fall through */

    case TLS_ST_SW_CHANGE:
-        if (s->hello_retry_request == SSL_HRR_PENDING)
+        if (s->hello_retry_request == SSL_HRR_PENDING) {
+            if (!statem_flush(s))
+                return WORK_MORE_A;
            break;
+        }
        /*
         * TODO(TLS1.3): This actually causes a problem. We don't yet know
         * whether the next record we are going to receive is an unencrypted