Fix TLSv1.3 exporter

We need to use the hashsize in generating the exportsecret not 0! Otherwise we end up with random garbage for the secret. It was pure chance that this passed the tests previously. It so happens that, because we call SSL_export_keying_material() repeatedly for different scenarios in the test, we end up in the tls13_export_keying_material() at exactly the same position in the stack each time and therefore end up using the same random garbage secret each time! Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3810)
author: Matt Caswell <matt@openssl.org> 2017-06-30 10:45:11 +0100
committer: Matt Caswell <matt@openssl.org> 2017-07-03 10:48:34 +0100
commit: 4d89bf448490e7c77743f53bfbefbaddee9b275e (patch)
tree: db4c5753c8ec16613e0832c713d49e5adef27f2c
parent: 48feaceb53fa6ae924e298b8eba0e247019313e4 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 55e68c60db..92b1f198ab 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -622,7 +622,7 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
             || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0
             || !tls13_hkdf_expand(s, md, s->exporter_master_secret,
                                   (const unsigned char *)label, llen, NULL,
-                                  exportsecret, 0)
+                                  exportsecret, hashsize)
             || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
                                   sizeof(exporterlabel) - 1, hash, out, olen))
         goto err;
author	Matt Caswell <matt@openssl.org>	2017-06-30 10:45:11 +0100
committer	Matt Caswell <matt@openssl.org>	2017-07-03 10:48:34 +0100
commit	4d89bf448490e7c77743f53bfbefbaddee9b275e (patch)
tree	db4c5753c8ec16613e0832c713d49e5adef27f2c
parent	48feaceb53fa6ae924e298b8eba0e247019313e4 (diff)