2 files changed, 10 insertions, 0 deletions

diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 5471e900b8..5fb1feb801 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2752,7 +2752,9 @@ __owur int ssl_log_secret(SSL *ssl, const char *label,
 #define CLIENT_HANDSHAKE_LABEL "CLIENT_HANDSHAKE_TRAFFIC_SECRET"
 #define SERVER_HANDSHAKE_LABEL "SERVER_HANDSHAKE_TRAFFIC_SECRET"
 #define CLIENT_APPLICATION_LABEL "CLIENT_TRAFFIC_SECRET_0"
+#define CLIENT_APPLICATION_N_LABEL "CLIENT_TRAFFIC_SECRET_N"
 #define SERVER_APPLICATION_LABEL "SERVER_TRAFFIC_SECRET_0"
+#define SERVER_APPLICATION_N_LABEL "SERVER_TRAFFIC_SECRET_N"
 #define EARLY_EXPORTER_SECRET_LABEL "EARLY_EXPORTER_SECRET"
 #define EXPORTER_SECRET_LABEL "EXPORTER_SECRET"
 
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index b186cb3897..ddcff5eb89 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -755,6 +755,7 @@ int tls13_update_key(SSL *s, int sending)
     unsigned char key[EVP_MAX_KEY_LENGTH];
     unsigned char *insecret, *iv;
     unsigned char secret[EVP_MAX_MD_SIZE];
+    char *log_label;
     EVP_CIPHER_CTX *ciph_ctx;
     int ret = 0, l;
 
@@ -791,6 +792,13 @@ int tls13_update_key(SSL *s, int sending)
 
     memcpy(insecret, secret, hashlen);
 
+    /* Call Key log on successful traffic secret update */
+    log_label = s->server == sending ? SERVER_APPLICATION_N_LABEL : CLIENT_APPLICATION_N_LABEL;
+    if (!ssl_log_secret(s, log_label, secret, hashlen)) {
+        /* SSLfatal() already called */
+        goto err;
+    }
+
     s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
     ret = 1;
  err: