From d7f8783ff9e88ad34e010564d721a55a48c6d674 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Sat, 25 Feb 2017 15:59:44 +0000
Subject: [PATCH] Enable the server to call SSL_write() without stopping the
 ability to call SSL_read_early()

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
---
 include/openssl/ssl.h    |  4 ++--
 ssl/statem/statem.c      |  8 +++++---
 ssl/statem/statem_clnt.c | 14 +++++++-------
 ssl/statem/statem_srvr.c |  7 ++++++-
 4 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index dabcc4a6a2..38185975be 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -900,8 +900,8 @@ typedef enum {
     TLS_ST_CW_KEY_UPDATE,
     TLS_ST_SR_KEY_UPDATE,
     TLS_ST_CR_KEY_UPDATE,
-    TLS_ST_CW_EARLY_DATA,
-    TLS_ST_CW_PENDING_EARLY_DATA_END
+    TLS_ST_EARLY_DATA,
+    TLS_ST_PENDING_EARLY_DATA_END
 } OSSL_HANDSHAKE_STATE;
 
 /*
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
index a1807f2a40..50c4345971 100644
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@@ -170,9 +170,11 @@ int ossl_statem_skip_early_data(SSL *s)
 
 void ossl_statem_check_finish_init(SSL *s, int send)
 {
-    if ((send && s->statem.hand_state == TLS_ST_CW_PENDING_EARLY_DATA_END)
-            || (!send && s->statem.hand_state == TLS_ST_CW_EARLY_DATA))
-        ossl_statem_set_in_init(s, 1);
+    if (!s->server) {
+        if ((send && s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END)
+                || (!send && s->statem.hand_state == TLS_ST_EARLY_DATA))
+            ossl_statem_set_in_init(s, 1);
+    }
 }
 
 void ossl_statem_set_hello_verify_done(SSL *s)
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 6fdb37ec7a..9a29ab5b8b 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -253,7 +253,7 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
         }
         break;
 
-    case TLS_ST_CW_EARLY_DATA:
+    case TLS_ST_EARLY_DATA:
         /*
          * We've not actually selected TLSv1.3 yet, but we have sent early
          * data. The only thing allowed now is a ServerHello or a
@@ -436,13 +436,13 @@ static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
 
     case TLS_ST_CR_FINISHED:
         if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY)
-            st->hand_state = TLS_ST_CW_PENDING_EARLY_DATA_END;
+            st->hand_state = TLS_ST_PENDING_EARLY_DATA_END;
         else
             st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT
                                                         : TLS_ST_CW_FINISHED;
         return WRITE_TRAN_CONTINUE;
 
-    case TLS_ST_CW_PENDING_EARLY_DATA_END:
+    case TLS_ST_PENDING_EARLY_DATA_END:
         st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT
                                                     : TLS_ST_CW_FINISHED;
         return WRITE_TRAN_CONTINUE;
@@ -521,7 +521,7 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
              * We are assuming this is a TLSv1.3 connection, although we haven't
              * actually selected a version yet.
              */
-            st->hand_state = TLS_ST_CW_EARLY_DATA;
+            st->hand_state = TLS_ST_EARLY_DATA;
             return WRITE_TRAN_CONTINUE;
         }
         /*
@@ -530,7 +530,7 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
          */
         return WRITE_TRAN_FINISHED;
 
-    case TLS_ST_CW_EARLY_DATA:
+    case TLS_ST_EARLY_DATA:
         return WRITE_TRAN_FINISHED;
 
     case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
@@ -666,8 +666,8 @@ WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
         }
         break;
 
-    case TLS_ST_CW_EARLY_DATA:
-    case TLS_ST_CW_PENDING_EARLY_DATA_END:
+    case TLS_ST_EARLY_DATA:
+    case TLS_ST_PENDING_EARLY_DATA_END:
     case TLS_ST_OK:
         return tls_finish_handshake(s, wst, 1);
     }
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 2b0ff57bad..9d15252a9f 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -93,6 +93,7 @@ static int ossl_statem_server13_read_transition(SSL *s, int mt)
         }
         break;
 
+    case TLS_ST_EARLY_DATA:
     case TLS_ST_SW_FINISHED:
         if (s->s3->tmp.cert_request) {
             if (mt == SSL3_MT_CERTIFICATE) {
@@ -461,11 +462,14 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
 
     case TLS_ST_SW_FINISHED:
         if (s->early_data_state == SSL_EARLY_DATA_ACCEPTING) {
-            st->hand_state = TLS_ST_OK;
+            st->hand_state = TLS_ST_EARLY_DATA;
             return WRITE_TRAN_CONTINUE;
         }
         return WRITE_TRAN_FINISHED;
 
+    case TLS_ST_EARLY_DATA:
+        return WRITE_TRAN_FINISHED;
+
     case TLS_ST_SR_FINISHED:
         /*
          * Technically we have finished the handshake at this point, but we're
@@ -703,6 +707,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
         }
         return WORK_FINISHED_CONTINUE;
 
+    case TLS_ST_EARLY_DATA:
     case TLS_ST_OK:
         return tls_finish_handshake(s, wst, 1);
     }
-- 
2.25.1