From 123c71365858c6bac2cd7272ee2785823847a129 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 14 Dec 2020 18:13:26 -0800 Subject: [PATCH] Key Change Move the setting of the key in the handshake from right before sending the finished message to between building change cipher spec and sending it. This way there won't be any opportunity to send a message after the change cipher spec that won't be encrypted. --- src/internal.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/internal.c b/src/internal.c index 5a529ba5b..749e2b7ba 100644 --- a/src/internal.c +++ b/src/internal.c @@ -15960,6 +15960,14 @@ int SendChangeCipher(WOLFSSL* ssl) #endif ssl->buffers.outputBuffer.length += sendSz; + /* setup encrypt keys */ + if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) + return ret; + + #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) + ssl->options.startedETMWrite = ssl->options.encThenMac; + #endif + if (ssl->options.groupMessages) return 0; #if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_DEBUG_DTLS) @@ -16707,14 +16715,6 @@ int SendFinished(WOLFSSL* ssl) WOLFSSL_START(WC_FUNC_FINISHED_SEND); WOLFSSL_ENTER("SendFinished"); - /* setup encrypt keys */ - if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) - return ret; - - #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) - ssl->options.startedETMWrite = ssl->options.encThenMac; - #endif - /* check for available size */ outputSz = sizeof(input) + MAX_MSG_EXTRA; if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)