In the TLSv1.2 server, set up the key block after sending the CCS.

This avoids calling into the key block setup code multiple times and makes
the server code consistent with the client.

ok inoguchi@ tb@

1 files changed, 7 insertions, 7 deletions

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 2d1af2f86f..8e6a1859eb 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.106 2021/05/02 17:18:10 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.107 2021/05/02 17:28:33 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -641,12 +641,6 @@ ssl3_accept(SSL *s)
 
                 case SSL3_ST_SW_CHANGE_A:
                 case SSL3_ST_SW_CHANGE_B:
-                        s->session->cipher = S3I(s)->hs.cipher;
-                        if (!tls1_setup_key_block(s)) {
-                                ret = -1;
-                                goto end;
-                        }
-
                         ret = ssl3_send_change_cipher_spec(s,
                             SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
                         if (ret <= 0)
@@ -654,6 +648,12 @@ ssl3_accept(SSL *s)
                         S3I(s)->hs.state = SSL3_ST_SW_FINISHED_A;
                         s->internal->init_num = 0;
 
+                        s->session->cipher = S3I(s)->hs.cipher;
+                        if (!tls1_setup_key_block(s)) {
+                                ret = -1;
+                                goto end;
+                        }
+
                         if (!tls1_change_cipher_state(s,
                             SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
                                 ret = -1;