tls-crypto: Fix MSK calculation for TLS 1.3

[thirdparty/strongswan.git] / src / libtls / tls_crypto.c

diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index 1b787ca4b6eacfbc3437f8d083a2ead8b99376ad..04fc8201ac0fa95bb0ead7ded04f8e199cf813cc 100644 (file)
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -2312,11 +2312,27 @@ METHOD(tls_crypto_t, derive_app_keys, bool,
        /* EAP-MSK */
        if (this->msk_label)
        {
+               uint8_t type;
+
+               switch (this->tls->get_purpose(this->tls))
+               {
+                       case TLS_PURPOSE_EAP_TLS:
+                               type = EAP_TLS;
+                               break;
+                       case TLS_PURPOSE_EAP_PEAP:
+                               type = EAP_PEAP;
+                               break;
+                       case TLS_PURPOSE_EAP_TTLS:
+                               type = EAP_TTLS;
+                               break;
+                       default:
+                               return FALSE;
+               }
                /* because the length is encoded when expanding key material, we
-                * request the same number of bytes as FreeRADIUS (the first 64 for
-                * the MSK, the next for the EMSK, which we just ignore) */
-               if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty,
-                                                               this->handshake, 128, &this->msk))
+                * request MSK and EMSK even if we don't use the latter */
+               if (!this->hkdf->export(this->hkdf, "EXPORTER_EAP_TLS_Key_Material",
+                                                               chunk_from_thing(type), this->handshake, 128,
+                                                               &this->msk))
                {
                        return FALSE;
                }