ssl: Correct connection state handling in TLS sender

IngelaAndin · IngelaAndin · commit 7e7da59b6f5a · 2025-09-17T09:19:54.000+02:00
Optimization commit 28f7e80 broke max_fragment_length handling, that is the TLS sender lost its knowledge of the maximum fragment length. Make TLS sender process aware of it in the cases it is negotiated, for default maximum we do not need to store it in the connection state. Closes #10191
diff --git a/lib/ssl/src/tls_gen_connection.erl b/lib/ssl/src/tls_gen_connection.erl
@@ -231,8 +231,9 @@ queue_change_cipher(Msg, #state{connection_env = #connection_env{negotiated_vers
 
 reinit(#state{protocol_specific = #{sender := Sender},
               connection_env = #connection_env{negotiated_version = Version},
-              connection_states = #{current_write := Write}} = State0) ->
-    tls_sender:update_connection_state(Sender, Write, Version),
+              connection_states = #{current_write := Write} = ConnectionStates} = State0) ->
+    MaxFragLength = maps:get(max_fragment_length, ConnectionStates, undefined),
+    tls_sender:update_connection_state(Sender, Write, Version, MaxFragLength),
     State = reinit_handshake_data(State0),
     garbage_collect(),
     State.
diff --git a/lib/ssl/src/tls_record.erl b/lib/ssl/src/tls_record.erl
@@ -55,7 +55,7 @@
 	 is_higher/2, supported_protocol_versions/0, sufficient_crypto_support/1,
 	 is_acceptable_version/1, is_acceptable_version/2, hello_version/1]).
 
--export_type([tls_version/0, tls_atom_version/0]).
+-export_type([tls_version/0, tls_atom_version/0, tls_max_frag_len/0]).
 
 -type tls_version()       :: ssl_record:ssl_version().
 -type tls_atom_version()  :: sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2' | 'tlsv1.3'.
diff --git a/lib/ssl/src/tls_sender.erl b/lib/ssl/src/tls_sender.erl
@@ -42,8 +42,8 @@
          renegotiate/1,
          peer_renegotiate/1,
          downgrade/2,
-         update_connection_state/3,
          dist_tls_socket/1,
+         update_connection_state/4,
          dist_handshake_complete/3]).
 
 %% gen_statem callbacks
@@ -166,12 +166,14 @@ peer_renegotiate(Pid) ->
      gen_statem:call(Pid, renegotiate, ?DEFAULT_TIMEOUT).
 
 %%--------------------------------------------------------------------
--spec update_connection_state(pid(), WriteState::map(), tls_record:tls_version()) -> ok. 
+-spec update_connection_state(pid(), WriteState::map(),
+                              tls_record:tls_version(),
+                              MaxFragLen :: tls_record:tls_max_frag_len()) -> ok.
 %% Description: So TLS connection process can synchronize the 
 %% encryption state to be used when sending application data. 
 %%--------------------------------------------------------------------
-update_connection_state(Pid, NewState, Version) ->
-    gen_statem:cast(Pid, {new_write, NewState, Version}).
+update_connection_state(Pid, NewState, Version, MaxFragLen) ->
+    gen_statem:cast(Pid, {new_write, NewState, Version, MaxFragLen}).
 
 %%--------------------------------------------------------------------
 -spec downgrade(pid(), integer()) -> {ok, ssl_record:connection_state()}
@@ -339,19 +341,19 @@ connection({call, From}, get_application_traffic_secret, #data{env = #env{num_ke
                     [{reply, From, {ok, ApplicationTrafficSecret, N}}]);
 connection(internal, {application_packets, From, Data}, StateData) ->
     send_application_data(Data, From, connection, StateData);
+
 connection(internal, {post_handshake_data, From, HSData}, StateData) ->
     send_post_handshake_data(HSData, From, connection, StateData);
 connection(cast, #alert{} = Alert, StateData0) ->
     StateData = send_tls_alert(Alert, StateData0),
     {next_state, connection, StateData};
-connection(cast, {new_write, WritesState, Version}, 
-           #data{connection_states = ConnectionStates, env = Env} = StateData) ->
+connection(cast, {new_write, WritesState, Version, MaxFragLen},
+           #data{connection_states = ConnectionStates0, env = Env} = StateData) ->
+    ConnectionStates = handle_new_write_state(ConnectionStates0, WritesState, MaxFragLen),
     hibernate_after(connection,
-                    StateData#data{connection_states =
-                                       ConnectionStates#{current_write => WritesState},
-                                   env =
-                                       Env#env{negotiated_version = Version}}, []);
-%%
+                    StateData#data{connection_states = ConnectionStates,
+                                   env = Env#env{negotiated_version = Version}},
+                    []);
 connection(info, dist_data,
            #data{env = #env{dist_handle = DHandle}} = StateData) ->
       case dist_data(DHandle) of
@@ -394,24 +396,24 @@ handshake({call, _}, _, _) ->
     {keep_state_and_data, [postpone]};
 handshake(internal, {application_packets,_,_}, _) ->
     {keep_state_and_data, [postpone]};
-handshake(cast, {new_write, WriteState, Version},
+handshake(cast, {new_write, WriteState, Version, MaxFragLen},
           #data{connection_states = ConnectionStates0,
                 env = #env{key_update_at = KeyUpdateAt0,
-                                 role = Role,
-                                 num_key_updates = N,
-                                 keylog_fun = Fun} = Env} = StateData) ->
-    ConnectionStates = ConnectionStates0#{current_write => WriteState},
+                           role = Role,
+                           num_key_updates = N,
+                           keylog_fun = Fun} = Env} = StateData) ->
     KeyUpdateAt = key_update_at(Version, WriteState, KeyUpdateAt0),
-     case Version of
-         ?TLS_1_3 ->
-             maybe_traffic_keylog_1_3(Fun, Role, ConnectionStates, N);
-          _ ->
-             ok
-     end,
-    {next_state, connection, 
+    ConnectionStates = handle_new_write_state(ConnectionStates0, WriteState, MaxFragLen),
+    case Version of
+        ?TLS_1_3 ->
+            maybe_traffic_keylog_1_3(Fun, Role, ConnectionStates, N);
+        _ ->
+            ok
+    end,
+    {next_state, connection,
      StateData#data{connection_states = ConnectionStates,
                     env = Env#env{negotiated_version = Version,
-                                           key_update_at = KeyUpdateAt}}};
+                                  key_update_at = KeyUpdateAt}}};
 handshake(info, dist_data, _) ->
     {keep_state_and_data, [postpone]};
 handshake(info, tick, _) ->
@@ -463,6 +465,13 @@ code_change(_OldVsn, State, Data, _Extra) ->
 %%%===================================================================
 %%% Internal functions
 %%%===================================================================
+handle_new_write_state(ConnectionStates, WriteState0, undefined) ->
+    WriteState = maps:remove(aead_handle, WriteState0),
+    maps:without([max_fragment_length], ConnectionStates#{current_write => WriteState});
+handle_new_write_state(ConnectionStates, WriteState0, MaxFragLen) ->
+    WriteState = maps:remove(aead_handle, WriteState0),
+    ConnectionStates#{max_fragment_length => MaxFragLen, current_write => WriteState}.
+
 handle_set_opts(StateName, From, Opts,
                 #data{env = #env{socket_options = SockOpts} = Env}
                 = StateData) ->
