Use the client app traffic secret for PHA Finished message

The TLSv1.3 spec requires us to use the client application traffic secret during generation of the Finished message following a post handshake authentication. Fixes #6263 Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/6297)
2024-12-05 07:54:47 +08:00 · 2018-05-18 17:33:19 +01:00 · 2018-05-18 17:33:19 +01:00 · de9f5b3554
commit de9f5b3554
parent b501ab6bee
1 changed files with 13 additions and 2 deletions
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@ -247,12 +247,23 @@ size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen,
        goto err;
    }

-    if (str == s->method->ssl3_enc->server_finished_label)
+    if (str == s->method->ssl3_enc->server_finished_label) {
        key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
                                           s->server_finished_secret, hashlen);
-    else
+    } else if (SSL_IS_FIRST_HANDSHAKE(s)) {
        key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
                                           s->client_finished_secret, hashlen);
+    } else {
+        unsigned char finsecret[EVP_MAX_MD_SIZE];
+
+        if (!tls13_derive_finishedkey(s, ssl_handshake_md(s),
+                                      s->client_app_traffic_secret,
+                                      finsecret, hashlen))
+            goto err;
+
+        key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finsecret,
+                                           hashlen);
+    }

    if (key == NULL
            || ctx == NULL