Commit de9f5b35 authored by Matt Caswell's avatar Matt Caswell
Browse files

Use the client app traffic secret for PHA Finished message 



The TLSv1.3 spec requires us to use the client application traffic secret
during generation of the Finished message following a post handshake
authentication.

Fixes #6263

Reviewed-by: default avatarBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6297)
parent b501ab6b

ssl/tls13_enc.c

+13 −2
Original line number Diff line number Diff line
@@ -247,12 +247,23 @@ size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, 
        goto err;

    }



    if (str == s->method->ssl3_enc->server_finished_label)

    if (str == s->method->ssl3_enc->server_finished_label) {

        key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,

                                           s->server_finished_secret, hashlen);

    else

    } else if (SSL_IS_FIRST_HANDSHAKE(s)) {

        key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,

                                           s->client_finished_secret, hashlen);

    } else {

        unsigned char finsecret[EVP_MAX_MD_SIZE];



        if (!tls13_derive_finishedkey(s, ssl_handshake_md(s),

                                      s->client_app_traffic_secret,

                                      finsecret, hashlen))

            goto err;



        key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finsecret,

                                           hashlen);

    }



    if (key == NULL

            || ctx == NULL