Splitting handshake traffic derivation from key change. This is in preparation for implementing 0-RTT where, like with client_traffic_secret_0, client_handshake_secret must be derived slightly earlier than it is used. (The secret is derived at ServerHello, but used at server Finished.) Change-Id: I6a186b84829800704a62fda412992ac730422110 Reviewed-on: https://boringssl-review.googlesource.com/12920 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

commit: 4cb8494d25e5c898bb4f0309de9d5df23dfcdfbf [log] [tgz]
author: Steven Valdez <svaldez@google.com> Fri Dec 16 11:29:28 2016 -0500
committer: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Fri Dec 16 20:29:23 2016 +0000
tree: ee9487eb9b90e55be6ef83f3e5c04f795925ffba
parent: 1bcd10c557b26f82ed372c794958f4bfc1db0067 [diff] [blame]
diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c
index 4a202d7..ea241c1 100644
--- a/ssl/tls13_client.c
+++ b/ssl/tls13_client.c

@@ -311,7 +311,11 @@
     return ssl_hs_error;
   }
 
-  if (!tls13_set_handshake_traffic(hs)) {
+  if (!tls13_derive_handshake_secrets(hs) ||
+      !tls13_set_traffic_key(ssl, evp_aead_open, hs->server_handshake_secret,
+                             hs->hash_len) ||
+      !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,
+                             hs->hash_len)) {
     return ssl_hs_error;
   }
commit	4cb8494d25e5c898bb4f0309de9d5df23dfcdfbf	[log] [tgz]
author	Steven Valdez <svaldez@google.com>	Fri Dec 16 11:29:28 2016 -0500
committer	CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	Fri Dec 16 20:29:23 2016 +0000
tree	ee9487eb9b90e55be6ef83f3e5c04f795925ffba
parent	1bcd10c557b26f82ed372c794958f4bfc1db0067 [diff] [blame]