commit 4cb8494d25e5c898bb4f0309de9d5df23dfcdfbf
author Steven Valdez <svaldez@google.com> Fri Dec 16 11:29:28 2016 -0500
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Fri Dec 16 20:29:23 2016 +0000
tree ee9487eb9b90e55be6ef83f3e5c04f795925ffba
parent 1bcd10c557b26f82ed372c794958f4bfc1db0067

Splitting handshake traffic derivation from key change.

This is in preparation for implementing 0-RTT where, like
with client_traffic_secret_0, client_handshake_secret must
be derived slightly earlier than it is used. (The secret is
derived at ServerHello, but used at server Finished.)

Change-Id: I6a186b84829800704a62fda412992ac730422110
Reviewed-on: https://boringssl-review.googlesource.com/12920
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/tls13_server.c

diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c
index 1aca634..7181f46 100644
--- a/ssl/tls13_server.c
+++ b/ssl/tls13_server.c
@@ -404,7 +404,11 @@
 
 static enum ssl_hs_wait_t do_send_encrypted_extensions(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
-  if (!tls13_set_handshake_traffic(hs)) {
+  if (!tls13_derive_handshake_secrets(hs) ||
+      !tls13_set_traffic_key(ssl, evp_aead_open, hs->client_handshake_secret,
+                             hs->hash_len) ||
+      !tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret,
+                             hs->hash_len)) {
     return ssl_hs_error;
   }