3 files changed, 17 insertions, 3 deletions

diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
index d4fc7cb6f7..536630ac33 100644
--- a/src/lib/libssl/tls13_handshake.c
+++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.30 2019/02/28 17:39:36 jsing Exp $      */
+/*      $OpenBSD: tls13_handshake.c,v 1.31 2019/02/28 17:56:43 jsing Exp $      */
 /*
  * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -282,6 +282,7 @@ tls13_handshake_perform(struct tls13_ctx *ctx)
                         return TLS13_IO_FAILURE;
 
                 if (action->handshake_complete) {
+                        ctx->handshake_completed = 1;
                         tls13_record_layer_handshake_completed(ctx->rl);
                         return TLS13_IO_SUCCESS;
                 }
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index c3b698e987..f3cccc14a6 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.24 2019/02/25 19:44:04 tb Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.25 2019/02/28 17:56:43 jsing Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -156,6 +156,7 @@ struct tls13_ctx {
         struct ssl_handshake_tls13_st *hs;
         uint8_t mode;
         struct tls13_handshake_stage handshake_stage;
+        int handshake_completed;
 
         const EVP_AEAD *aead;
         const EVP_MD *hash;
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index e371d71750..c5e2faf3fc 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.7 2019/02/28 17:44:56 jsing Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.8 2019/02/28 17:56:43 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -241,6 +241,12 @@ tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int pee
         struct tls13_ctx *ctx = ssl->internal->tls13;
         ssize_t ret;
 
+        if (ctx == NULL || !ctx->handshake_completed) {
+                if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
+                        return ret;
+                return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
+        }
+
         if (peek) {
                 /* XXX - support peek... */
                 SSLerror(ssl, ERR_R_INTERNAL_ERROR);
@@ -266,6 +272,12 @@ tls13_legacy_write_bytes(SSL *ssl, int type, const void *buf, int len)
         struct tls13_ctx *ctx = ssl->internal->tls13;
         ssize_t ret;
 
+        if (ctx == NULL || !ctx->handshake_completed) {
+                if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
+                        return ret;
+                return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT);
+        }
+
         if (type != SSL3_RT_APPLICATION_DATA) {
                 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                 return -1;