From 5cf6c3182264c1dbe935d1f11c8c776a17d7b393 Mon Sep 17 00:00:00 2001 From: Todd Short Date: Tue, 12 Nov 2019 13:52:35 -0500 Subject: QUIC: Fix resumption secret (cherry picked from commit 16fafdf4e0ec6cddd5705f407e5dca26cb30914d) (cherry picked from commit b97af137adf08bdd75c0c5843b2eb4a1483c2293) --- ssl/tls13_enc.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 2195283f03..8a31faa1c2 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -513,10 +513,7 @@ static int quic_change_cipher_state(SSL *s, int which) || !tls13_hkdf_expand(s, md, s->master_secret, server_application_traffic, sizeof(server_application_traffic)-1, hash, hashlen, s->server_app_traffic_secret, hashlen, 1) - || !ssl_log_secret(s, SERVER_APPLICATION_LABEL, s->server_app_traffic_secret, hashlen) - || !tls13_hkdf_expand(s, md, s->master_secret, resumption_master_secret, - sizeof(resumption_master_secret)-1, hash, hashlen, - s->resumption_master_secret, hashlen, 1)) { + || !ssl_log_secret(s, SERVER_APPLICATION_LABEL, s->server_app_traffic_secret, hashlen)) { /* SSLfatal() already called */ goto err; } @@ -530,6 +527,8 @@ static int quic_change_cipher_state(SSL *s, int which) else s->quic_read_level = level; } else { + /* is_client_write || is_server_read */ + if (is_early) { level = ssl_encryption_early_data; @@ -545,6 +544,16 @@ static int quic_change_cipher_state(SSL *s, int which) level = ssl_encryption_handshake; } else { level = ssl_encryption_application; + /* + * We also create the resumption master secret, but this time use the + * hash for the whole handshake including the Client Finished + */ + if (!tls13_hkdf_expand(s, md, s->master_secret, resumption_master_secret, + sizeof(resumption_master_secret)-1, hash, hashlen, + s->resumption_master_secret, hashlen, 1)) { + /* SSLfatal() already called */ + goto err; + } } if (s->server) -- 2.35.3