MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
{
- int al;
+ int al = SSL_AD_INTERNAL_ERROR;
size_t md_len;
/* If this occurs, we have missed a message */
- if (!s->s3->change_cipher_spec) {
+ if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) {
al = SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
goto f_err;
s->s3->previous_server_finished_len = md_len;
}
+ /*
+ * In TLS1.3 we also have to change cipher state and do any final processing
+ * of the initial server flight (if we are a client)
+ */
+ if (SSL_IS_TLS13(s)) {
+ if (s->server) {
+ if (!s->method->ssl3_enc->change_cipher_state(s,
+ SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
+ SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_CANNOT_CHANGE_CIPHER);
+ goto f_err;
+ }
+ } else {
+ if (!s->method->ssl3_enc->generate_master_secret(s,
+ s->session->master_key, s->handshake_secret, 0,
+ &s->session->master_key_length)) {
+ SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_CANNOT_CHANGE_CIPHER);
+ goto f_err;
+ }
+ if (!s->method->ssl3_enc->change_cipher_state(s,
+ SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
+ SSLerr(SSL_F_TLS_PROCESS_FINISHED, SSL_R_CANNOT_CHANGE_CIPHER);
+ goto f_err;
+ }
+ if (!tls_process_initial_server_flight(s, &al))
+ goto f_err;
+ }
+ }
+
return MSG_PROCESS_FINISHED_READING;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
switch (server_version) {
default:
+ /*
+ * TODO(TLS1.3): This check will fail if someone attempts to do
+ * renegotiation in TLS1.3 at the moment. We need to ensure we disable
+ * renegotiation for TLS1.3
+ */
if (version_cmp(s, client_version, s->version) < 0)
return SSL_R_WRONG_SSL_VERSION;
/*
/* TODO(TLS1.3): Remove this before release */
if (candidate_vers == TLS1_3_VERSION_DRAFT)
candidate_vers = TLS1_3_VERSION;
+ /*
+ * TODO(TLS1.3): There is some discussion on the TLS list about
+ * wheter to ignore versions <TLS1.2 in supported_versions. At the
+ * moment we honour them if present. To be reviewed later
+ */
if ((int)candidate_vers > s->client_version)
s->client_version = candidate_vers;
if (version_cmp(s, candidate_vers, best_vers) <= 0)
for (vent = table;
vent->version != 0 && vent->version != (int)candidate_vers;
++vent)
- ;
+ continue;
if (vent->version != 0 && vent->smeth != NULL) {
const SSL_METHOD *method;
const version_info *vent;
const version_info *table;
+ /* TODO(TLS1.3): Remove this before release */
+ if (version == TLS1_3_VERSION_DRAFT)
+ version = TLS1_3_VERSION;
+
switch (s->method->version) {
default:
if (version != s->version)