#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
+#include <openssl/trace.h>
/*
* Map error codes to TLS/SSL alart types.
goto err;
}
-#ifdef SSL_DEBUG
if (SSL_USE_SIGALGS(s))
- fprintf(stderr, "USING TLSv1.2 HASH %s\n",
- md == NULL ? "n/a" : EVP_MD_name(md));
-#endif
+ OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
+ md == NULL ? "n/a" : EVP_MD_name(md));
/* Check for broken implementations of GOST ciphersuites */
/*
goto err;
}
-#ifdef SSL_DEBUG
- fprintf(stderr, "Using client verify alg %s\n",
- md == NULL ? "n/a" : EVP_MD_name(md));
-#endif
+ OSSL_TRACE1(TLS, "Using client verify alg %s\n",
+ md == NULL ? "n/a" : EVP_MD_name(md));
+
if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
ERR_R_EVP_LIB);
{
unsigned int updatetype;
- s->key_update_count++;
- if (s->key_update_count > MAX_KEY_UPDATE_MESSAGES) {
- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
- SSL_R_TOO_MANY_KEY_UPDATES);
- return MSG_PROCESS_ERROR;
- }
-
/*
* A KeyUpdate message signals a key change so the end of the message must
* be on a record boundary.
WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
{
void (*cb) (const SSL *ssl, int type, int val) = NULL;
+ int cleanuphand = s->statem.cleanuphand;
if (clearbufs) {
if (!SSL_IS_DTLS(s)) {
* Only set if there was a Finished message and this isn't after a TLSv1.3
* post handshake exchange
*/
- if (s->statem.cleanuphand) {
+ if (cleanuphand) {
/* skipped if we just sent a HelloRequest */
s->renegotiate = 0;
s->new_session = 0;
/* The callback may expect us to not be in init at handshake done */
ossl_statem_set_in_init(s, 0);
- if (cb != NULL)
- cb(s, SSL_CB_HANDSHAKE_DONE, 1);
+ if (cb != NULL) {
+ if (cleanuphand
+ || !SSL_IS_TLS13(s)
+ || SSL_IS_FIRST_HANDSHAKE(s))
+ cb(s, SSL_CB_HANDSHAKE_DONE, 1);
+ }
if (!stop) {
/* If we've got more work to do we go back into init */