Fix SSL_get{,_peer}_finished() with TLSv1.3

As reported by Steffen Ullrich and bluhm, the Finished tests in
p5-Net-SSLeay's t/local/43_misc_functions.t broke with with TLSv1.3.
The reason for this is that we don't copy the MDs over to the SSL, so
the API functions can't retrieve them.  This commit fixes this part of
the test (one unrelated test still fails).

ok inoguchi jsing

2 files changed, 28 insertions, 2 deletions

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 35409d92bd..f804f27293 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.67 2020/09/11 17:36:27 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.68 2020/12/14 15:26:36 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -756,6 +756,7 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
         uint8_t key[EVP_MAX_MD_SIZE];
         HMAC_CTX *hmac_ctx = NULL;
         unsigned int hlen;
+        SSL *s = ctx->ssl;
         int ret = 0;
 
         /*
@@ -790,6 +791,11 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
                 goto err;
         }
 
+        if (!CBS_write_bytes(cbs, S3I(s)->tmp.peer_finish_md,
+            sizeof(S3I(s)->tmp.peer_finish_md),
+            &S3I(s)->tmp.peer_finish_md_len))
+                goto err;
+
         if (!CBS_skip(cbs, verify_data_len))
                 goto err;
 
@@ -1036,6 +1042,8 @@ tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
         size_t hmac_len;
         unsigned int hlen;
         HMAC_CTX *hmac_ctx = NULL;
+        CBS cbs;
+        SSL *s = ctx->ssl;
         int ret = 0;
 
         finished_key.data = key;
@@ -1066,6 +1074,11 @@ tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
         if (hlen != hmac_len)
                 goto err;
 
+        CBS_init(&cbs, verify_data, hmac_len);
+        if (!CBS_write_bytes(&cbs, S3I(s)->tmp.finish_md,
+            sizeof(S3I(s)->tmp.finish_md), &S3I(s)->tmp.finish_md_len))
+                goto err;
+
         ret = 1;
 
  err:
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index a3adf9e6b3..1c8644ab27 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.63 2020/11/17 07:02:30 tb Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.64 2020/12/14 15:26:36 tb Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -776,6 +776,8 @@ tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
         size_t hmac_len;
         unsigned int hlen;
         HMAC_CTX *hmac_ctx = NULL;
+        CBS cbs;
+        SSL *s = ctx->ssl;
         int ret = 0;
 
         finished_key.data = key;
@@ -806,6 +808,11 @@ tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
         if (hlen != hmac_len)
                 goto err;
 
+        CBS_init(&cbs, verify_data, hmac_len);
+        if (!CBS_write_bytes(&cbs, S3I(s)->tmp.finish_md,
+            sizeof(S3I(s)->tmp.finish_md), &S3I(s)->tmp.finish_md_len))
+                goto err;
+
         ret = 1;
 
  err:
@@ -1036,6 +1043,7 @@ tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
         uint8_t key[EVP_MAX_MD_SIZE];
         HMAC_CTX *hmac_ctx = NULL;
         unsigned int hlen;
+        SSL *s = ctx->ssl;
         int ret = 0;
 
         /*
@@ -1070,6 +1078,11 @@ tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
                 goto err;
         }
 
+        if (!CBS_write_bytes(cbs, S3I(s)->tmp.peer_finish_md,
+            sizeof(S3I(s)->tmp.peer_finish_md),
+            &S3I(s)->tmp.peer_finish_md_len))
+                goto err;
+
         if (!CBS_skip(cbs, verify_data_len))
                 goto err;