From 7daf7156d8fb10e8ec18d806b653d425707c2c0d Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 24 Feb 2017 13:51:04 +0000
Subject: [PATCH] Don't attempt to write more early_data than we know the
 server will accept

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
---
 ssl/record/rec_layer_s3.c |  4 ++++
 ssl/record/ssl3_record.c  | 18 +++++++++++-------
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 1dc2956478..2cdc62d478 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -348,6 +348,10 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
         return -1;
     }
 
+    if (s->early_data_state == SSL_EARLY_DATA_WRITING
+            && !early_data_count_ok(s, len, 0, NULL))
+        return -1;
+
     s->rlayer.wnum = 0;
 
     if (SSL_in_init(s) && !ossl_statem_get_in_handshake(s)) {
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index 50582d1a73..4149969f2d 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -106,14 +106,17 @@ int early_data_count_ok(SSL *s, size_t length, size_t overhead, int *al)
     uint32_t max_early_data = s->max_early_data;
 
     /*
-     * We go with the lowest out of the max early data set in the session
-     * and the configured max_early_data.
+     * If we are a client then we always use the max_early_data from the
+     * session. Otherwise we go with the lowest out of the max early data set in
+     * the session and the configured max_early_data.
      */
-    if (s->hit && s->session->ext.max_early_data < s->max_early_data)
+    if (!s->server || (s->hit
+                       && s->session->ext.max_early_data < s->max_early_data))
         max_early_data = s->session->ext.max_early_data;
 
     if (max_early_data == 0) {
-        *al = SSL_AD_UNEXPECTED_MESSAGE;
+        if (al != NULL)
+            *al = SSL_AD_UNEXPECTED_MESSAGE;
         SSLerr(SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA);
         return 0;
     }
@@ -121,12 +124,13 @@ int early_data_count_ok(SSL *s, size_t length, size_t overhead, int *al)
     /* If we are dealing with ciphertext we need to allow for the overhead */
     max_early_data += overhead;
 
-    s->early_data_count += length;
-    if (s->early_data_count > max_early_data) {
-        *al = SSL_AD_UNEXPECTED_MESSAGE;
+    if (s->early_data_count + length > max_early_data) {
+        if (al != NULL)
+            *al = SSL_AD_UNEXPECTED_MESSAGE;
         SSLerr(SSL_F_EARLY_DATA_COUNT_OK, SSL_R_TOO_MUCH_EARLY_DATA);
         return 0;
     }
+    s->early_data_count += length;
 
     return 1;
 }
-- 
GitLab