The branch master has been updated via de9f5b3554274e27949941cbe74a07c8a5f25dbf (commit) from b501ab6bee469eafb8b67ac38896bb689ab632fa (commit)
- Log ----------------------------------------------------------------- commit de9f5b3554274e27949941cbe74a07c8a5f25dbf Author: Matt Caswell <m...@openssl.org> Date: Fri May 18 17:33:19 2018 +0100 Use the client app traffic secret for PHA Finished message The TLSv1.3 spec requires us to use the client application traffic secret during generation of the Finished message following a post handshake authentication. Fixes #6263 Reviewed-by: Ben Kaduk <ka...@mit.edu> (Merged from https://github.com/openssl/openssl/pull/6297) ----------------------------------------------------------------------- Summary of changes: ssl/tls13_enc.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 1613004..1e6db92 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -247,12 +247,23 @@ size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, goto err; } - if (str == s->method->ssl3_enc->server_finished_label) + if (str == s->method->ssl3_enc->server_finished_label) { key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, s->server_finished_secret, hashlen); - else + } else if (SSL_IS_FIRST_HANDSHAKE(s)) { key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, s->client_finished_secret, hashlen); + } else { + unsigned char finsecret[EVP_MAX_MD_SIZE]; + + if (!tls13_derive_finishedkey(s, ssl_handshake_md(s), + s->client_app_traffic_secret, + finsecret, hashlen)) + goto err; + + key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finsecret, + hashlen); + } if (key == NULL || ctx == NULL _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits