From c2265cc8b8f01c8a364e89b8653c576067f4b402 Mon Sep 17 00:00:00 2001
From: miod <>
Date: Fri, 11 Jul 2014 13:21:15 +0000
Subject: Accept CCS again after `finished' has been sent by the client; at
 this point keys have been correctly set up so it is ok to accept CCS from the
 server. Without renegotiation can sometimes fail.

OpenSSL PR #3400 via OpenSSL trunk.
---
 src/lib/libssl/s3_clnt.c         | 11 ++++++-----
 src/lib/libssl/src/ssl/s3_clnt.c | 11 ++++++-----
 2 files changed, 12 insertions(+), 10 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index b70719f75a..017aaaecba 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.75 2014/07/11 09:24:44 beck Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.76 2014/07/11 13:21:15 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -497,12 +497,13 @@ ssl3_connect(SSL *s)
 
 		case SSL3_ST_CW_FINISHED_A:
 		case SSL3_ST_CW_FINISHED_B:
-			ret = ssl3_send_finished(s,
-			SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B,
-			s->method->ssl3_enc->client_finished_label,
-			s->method->ssl3_enc->client_finished_label_len);
+			ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A,
+			    SSL3_ST_CW_FINISHED_B,
+			    s->method->ssl3_enc->client_finished_label,
+			    s->method->ssl3_enc->client_finished_label_len);
 			if (ret <= 0)
 				goto end;
+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			s->state = SSL3_ST_CW_FLUSH;
 
 			/* clear flags */
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index b70719f75a..017aaaecba 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.75 2014/07/11 09:24:44 beck Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.76 2014/07/11 13:21:15 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -497,12 +497,13 @@ ssl3_connect(SSL *s)
 
 		case SSL3_ST_CW_FINISHED_A:
 		case SSL3_ST_CW_FINISHED_B:
-			ret = ssl3_send_finished(s,
-			SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B,
-			s->method->ssl3_enc->client_finished_label,
-			s->method->ssl3_enc->client_finished_label_len);
+			ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A,
+			    SSL3_ST_CW_FINISHED_B,
+			    s->method->ssl3_enc->client_finished_label,
+			    s->method->ssl3_enc->client_finished_label_len);
 			if (ret <= 0)
 				goto end;
+			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			s->state = SSL3_ST_CW_FLUSH;
 
 			/* clear flags */
-- 
cgit v1.2.3-55-g6feb