ssl: Improve TLS 1.3 statem

- Store FinishedKey in cipher_state.
- Implement state 'wait_finished'.
- Calculate traffic secrets in 'wait_finished' after Finished
  received from client and go to state 'Connection'.
- Drop 'change_cipher_spec' messages (middlebox compatibility mode).
- Extend tests of 1-RTT.

Change-Id: Id69619ec5da053ffaaef75378678a27afeef6916

1 files changed, 17 insertions, 0 deletions

diff --git a/lib/ssl/src/tls_record_1_3.erl b/lib/ssl/src/tls_record_1_3.erl
index 1681babed9..05acc08392 100644
--- a/lib/ssl/src/tls_record_1_3.erl
+++ b/lib/ssl/src/tls_record_1_3.erl
@@ -123,6 +123,23 @@ decode_cipher_text(#ssl_tls{type = ?OPAQUE_TYPE,
                                        ReadState0#{sequence_number => Seq + 1}},
 	    {decode_inner_plaintext(PlainFragment), ConnectionStates}
     end;
+
+%% RFC8446 - TLS 1.3
+%% D.4.  Middlebox Compatibility Mode
+%%    -  If not offering early data, the client sends a dummy
+%%       change_cipher_spec record (see the third paragraph of Section 5)
+%%       immediately before its second flight.  This may either be before
+%%       its second ClientHello or before its encrypted handshake flight.
+%%       If offering early data, the record is placed immediately after the
+%%       first ClientHello.
+decode_cipher_text(#ssl_tls{type = ?CHANGE_CIPHER_SPEC,
+                            version = ?LEGACY_VERSION,
+                            fragment = <<1>>},
+		   ConnectionStates0) ->
+    {#ssl_tls{type = ?CHANGE_CIPHER_SPEC,
+              version = {3,4}, %% Internally use real version
+              fragment = <<1>>}, ConnectionStates0};
+
 decode_cipher_text(#ssl_tls{type = Type,
                             version = ?LEGACY_VERSION,
                             fragment = CipherFragment},