From: Pascal Knecht <pascal.knecht@hsr.ch>
Date: Tue, 10 Nov 2020 13:44:51 +0000 (+0100)
Subject: tls-peer: Derive application traffic keys after server finished message
X-Git-Tag: 5.9.2rc1~23^2~24
X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=commitdiff_plain;h=2d933f318b24545d8fde479eb87661e52a1c68e7

tls-peer: Derive application traffic keys after server finished message

The inbound key is used right away, the outbound key only after the
client finished message has been sent.
---

diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 1f9e270..c9da4e2 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -1710,14 +1710,14 @@ METHOD(tls_handshake_t, build, status_t,
 			case STATE_HELLO_DONE:
 			case STATE_CIPHERSPEC_CHANGED_OUT:
 			case STATE_FINISHED_RECEIVED:
-				return send_finished(this, type, writer);
-			case STATE_FINISHED_SENT:
 				if (!this->crypto->derive_app_keys(this->crypto))
 				{
 					this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
 					return NEED_MORE;
 				}
 				this->crypto->change_cipher(this->crypto, TRUE);
+				return send_finished(this, type, writer);
+			case STATE_FINISHED_SENT:
 				this->crypto->change_cipher(this->crypto, FALSE);
 				this->state = STATE_FINISHED_SENT_KEY_SWITCHED;
 				return INVALID_STATE;