Merge pull request #3626 from SparkiDev/tls13_middlebox_fix

TLS send change cipher: Don't set keys when negotiating TLS 1.3
2025-07-29 18:27:29 +02:00 · 2021-01-18 15:14:58 -08:00
parent 1e9394d5a8 a6b69b6864
commit 8ae609d078
1 changed files with 8 additions and 3 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -16067,13 +16067,18 @@ int SendChangeCipher(WOLFSSL* ssl)
    #endif
    ssl->buffers.outputBuffer.length += sendSz;

-    /* setup encrypt keys */
-    if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
-        return ret;
+#ifdef WOLFSSL_TLS13
+    if (!ssl->options.tls1_3)
+#endif
+    {
+        /* setup encrypt keys */
+        if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
+            return ret;

    #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
        ssl->options.startedETMWrite = ssl->options.encThenMac;
    #endif
+    }

    if (ssl->options.groupMessages)
        return 0;