X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_lib.c;h=6d32666e43f431caa89c9a179cb966199cee1cca;hp=46ffb47e10772d277afd7a7ac1d1c98121b93e1b;hb=92760c21e62c6e5ef172fa110cf47a509cd50f2f;hpb=0d9824c1712b6cacd9b0ecfba26fb66ae4badfb4 diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 46ffb47e10..6d32666e43 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -330,7 +330,7 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) size_t md_len; /* If this occurs, we have missed a message */ - if (!s->s3->change_cipher_spec) { + if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_GOT_A_FIN_BEFORE_A_CCS); goto f_err; @@ -367,6 +367,32 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) s->s3->previous_server_finished_len = md_len; } + /* In TLS1.3 we also have to change cipher state */ + if (SSL_IS_TLS13(s)) { + if (s->server) { + if (!s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_CANNOT_CHANGE_CIPHER); + goto f_err; + } + } else { + if (!s->method->ssl3_enc->generate_master_secret(s, + s->session->master_key, s->handshake_secret, 0, + &s->session->master_key_length)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_CANNOT_CHANGE_CIPHER); + goto f_err; + } + if (!s->method->ssl3_enc->change_cipher_state(s, + SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_CANNOT_CHANGE_CIPHER); + goto f_err; + } + } + } + return MSG_PROCESS_FINISHED_READING; f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al);