Fix client application traffic secret

A misreading of the TLS1.3 spec meant we were using the handshake hashes up to and including the Client Finished to calculate the client application traffic secret. We should be only use up until the Server Finished. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2157)
author: Matt Caswell <matt@openssl.org> 2016-12-29 17:11:27 +0000
committer: Matt Caswell <matt@openssl.org> 2017-01-10 23:02:50 +0000
commit: ace081c1ed98346328e251884c3bea4b41cb50ad (patch)
tree: 3fc9e0107807c84d411a2916785c4e303cb9117c /test
parent: 4954fd13b3c71f0f74677b78533f1176e13de032 (diff)
1 files changed, 9 insertions, 2 deletions
diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c
index 8734f2ae03..93b6e44257 100644
--- a/test/tls13secretstest.c
+++ b/test/tls13secretstest.c
@@ -186,12 +186,19 @@ static int test_secret(SSL *s, unsigned char *prk,
                        const unsigned char *ref_secret,
                        const unsigned char *ref_key, const unsigned char *ref_iv)
 {
-    size_t hashsize = EVP_MD_size(ssl_handshake_md(s));
+    size_t hashsize;
     unsigned char gensecret[EVP_MAX_MD_SIZE];
+    unsigned char hash[EVP_MAX_MD_SIZE];
     unsigned char key[KEYLEN];
     unsigned char iv[IVLEN];
 
-    if (!tls13_derive_secret(s, prk, label, labellen, gensecret)) {
+    if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
+        fprintf(stderr, "Failed to get hash\n");
+        return 0;
+    }
+
+    if (!tls13_hkdf_expand(s, prk, label, labellen, hash, gensecret,
+                           hashsize)) {
         fprintf(stderr, "Secret generation failed\n");
         return 0;
     }
author	Matt Caswell <matt@openssl.org>	2016-12-29 17:11:27 +0000
committer	Matt Caswell <matt@openssl.org>	2017-01-10 23:02:50 +0000
commit	ace081c1ed98346328e251884c3bea4b41cb50ad (patch)
tree	3fc9e0107807c84d411a2916785c4e303cb9117c /test
parent	4954fd13b3c71f0f74677b78533f1176e13de032 (diff)