Generate exporter_master_secret after server Finished

Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4944)
2017-12-16 16:46:18 +09:00 · 2017-12-16 16:46:18 +09:00 · 2221ec10ab
commit 2221ec10ab
parent 50ea9d2b35
1 changed files with 12 additions and 3 deletions
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@ -581,9 +581,18 @@ int tls13_change_cipher_state(SSL *s, int which)
        goto err;
    }

-    if (label == server_application_traffic)
+    if (label == server_application_traffic) {
        memcpy(s->server_app_traffic_secret, secret, hashlen);
-    else if (label == client_application_traffic)
+        /* Now we create the exporter master secret */
+        if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,
+                               exporter_master_secret,
+                               sizeof(exporter_master_secret) - 1,
+                               hash, hashlen, s->exporter_master_secret,
+                               hashlen)) {
+            /* SSLfatal() already called */
+            goto err;
+        }
+    } else if (label == client_application_traffic)
        memcpy(s->client_app_traffic_secret, secret, hashlen);

    if (!ssl_log_secret(s, log_label, secret, hashlen)) {
@ -667,7 +676,7 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
    unsigned int hashsize, datalen;
    int ret = 0;

-    if (ctx == NULL || !SSL_is_init_finished(s))
+    if (ctx == NULL)
        goto err;

    if (!use_context)