From a6b69b68649a7cd57edaa8b447947191d28268e8 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Tue, 5 Jan 2021 14:32:48 +1000
Subject: [PATCH] TLS send change cipher: Don't set keys when negotiating TLS
 1.3

---
 src/internal.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index ad34b7f1c..370a14770 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -16067,13 +16067,18 @@ int SendChangeCipher(WOLFSSL* ssl)
     #endif
     ssl->buffers.outputBuffer.length += sendSz;
 
-    /* setup encrypt keys */
-    if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
-        return ret;
+#ifdef WOLFSSL_TLS13
+    if (!ssl->options.tls1_3)
+#endif
+    {
+        /* setup encrypt keys */
+        if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
+            return ret;
 
     #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
         ssl->options.startedETMWrite = ssl->options.encThenMac;
     #endif
+    }
 
     if (ssl->options.groupMessages)
         return 0;