Consolidate CCS_OK paths in s3_clnt.c.

Introduce a CR_CHANGE state just before entering CR_FINISHED_A. This replaces
the CCS_OK in the CR_FINISHED_A/CR_FINISHED_B case which otherwise would get
applied after partial reads of Finished. The other CCS_OK settings are
redundant with this one.

The copy in tls_secret_session_cb codepath is made unnecessary with

The copy in the normal session resumption case is unnecessary with
6444287806d801b9a45baf1f6f02a0e3a16e144c. Before that commit, OpenSSL would
potentially read Finished a state early. Now that we are strict (and get the
book-keeping correct) for expecting the NewSessionTicket message it too is

Of particular note is the one after ssl3_send_finished. That was added in
response to upstream's PR#3400. I've reproduced the bug and concluded it was
actually a bug around expecting a NewSessionTicket message. That has been fixed
properly in 6444287806d801b9a45baf1f6f02a0e3a16e144c by resetting
tlsext_expect_ticket on renegotiations.

Change-Id: I6a928386994fcd5efff26a5f0efb12b65bf7f299
Reviewed-by: Adam Langley <>
3 files changed