tls-peer: Derive application traffic keys after server finished message
authorPascal Knecht <pascal.knecht@hsr.ch>
Tue, 10 Nov 2020 13:44:51 +0000 (14:44 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 12 Feb 2021 13:35:23 +0000 (14:35 +0100)
The inbound key is used right away, the outbound key only after the
client finished message has been sent.

src/libtls/tls_peer.c

index 1f9e270..c9da4e2 100644 (file)
@@ -1710,14 +1710,14 @@ METHOD(tls_handshake_t, build, status_t,
                        case STATE_HELLO_DONE:
                        case STATE_CIPHERSPEC_CHANGED_OUT:
                        case STATE_FINISHED_RECEIVED:
                        case STATE_HELLO_DONE:
                        case STATE_CIPHERSPEC_CHANGED_OUT:
                        case STATE_FINISHED_RECEIVED:
-                               return send_finished(this, type, writer);
-                       case STATE_FINISHED_SENT:
                                if (!this->crypto->derive_app_keys(this->crypto))
                                {
                                        this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
                                        return NEED_MORE;
                                }
                                this->crypto->change_cipher(this->crypto, TRUE);
                                if (!this->crypto->derive_app_keys(this->crypto))
                                {
                                        this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
                                        return NEED_MORE;
                                }
                                this->crypto->change_cipher(this->crypto, TRUE);
+                               return send_finished(this, type, writer);
+                       case STATE_FINISHED_SENT:
                                this->crypto->change_cipher(this->crypto, FALSE);
                                this->state = STATE_FINISHED_SENT_KEY_SWITCHED;
                                return INVALID_STATE;
                                this->crypto->change_cipher(this->crypto, FALSE);
                                this->state = STATE_FINISHED_SENT_KEY_SWITCHED;
                                return INVALID_STATE;