diff options
author | Matt Caswell <matt@openssl.org> | 2018-05-18 17:33:19 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-05-23 13:48:33 +0100 |
commit | de9f5b3554274e27949941cbe74a07c8a5f25dbf (patch) | |
tree | 6b0ad2d848af8b28cd1809e5e9901cf7dd8725ee /ssl | |
parent | b501ab6bee469eafb8b67ac38896bb689ab632fa (diff) | |
download | openssl-de9f5b3554274e27949941cbe74a07c8a5f25dbf.tar.gz |
Use the client app traffic secret for PHA Finished message
The TLSv1.3 spec requires us to use the client application traffic secret
during generation of the Finished message following a post handshake
authentication.
Fixes #6263
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6297)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/tls13_enc.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 1613004f78..1e6db92346 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -247,12 +247,23 @@ size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, goto err; } - if (str == s->method->ssl3_enc->server_finished_label) + if (str == s->method->ssl3_enc->server_finished_label) { key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, s->server_finished_secret, hashlen); - else + } else if (SSL_IS_FIRST_HANDSHAKE(s)) { key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, s->client_finished_secret, hashlen); + } else { + unsigned char finsecret[EVP_MAX_MD_SIZE]; + + if (!tls13_derive_finishedkey(s, ssl_handshake_md(s), + s->client_app_traffic_secret, + finsecret, hashlen)) + goto err; + + key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finsecret, + hashlen); + } if (key == NULL || ctx == NULL |