tls-crypto: Generate MSK for TLS 1.3

We generate material for both MSK and EMSK even though we only need the
former.  Because HKDF-Expand-Label(), on which the export functionality
is based, encodes the requested key length, we have to allocate the same
number of bytes as e.g. FreeRADIUS does (i.e. if we only request 64
bytes, those won't be the same as the first 64 bytes after requesting
128 bytes).

Unfortunately, key derivation for TLS-based methods is currently not
standardized for TLS 1.3.  There is a draft [1], which defines a scheme
that's different from previous versions (instead of individual label
strings it uses a single one and passes the EAP type/code as context
value to TLS-Export()).  The current code is compatible to FreeRADIUS
3.0.x, which doesn't implement it according to that draft yet (there are
unreleased changes for EAP-TLS, not for the other methods, but these only
switch the label, no context value is passed).  In a separate draft
for EAP-TLS [2] there is an altogether different scheme defined in the
latest version (label combined with EAP method, no context and separate
derivation for MSK and EMSK).

So this is a mess and we will have to change this later with the inevitable
compatibility issues (we should definitely disable TLS 1.3 by default).

[1] https://tools.ietf.org/html/draft-ietf-emu-tls-eap-types
[2] https://tools.ietf.org/html/draft-ietf-emu-eap-tls13

diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index 906c99baa2d40dd278bfe1c3d996ff8eea38bc86..cb2141f8b726600a6cf73b6470b8e7bd7b03b948 100644 (file)
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -2086,8 +2086,26 @@ METHOD(tls_crypto_t, derive_handshake_keys, bool,
 METHOD(tls_crypto_t, derive_app_keys, bool,
        private_tls_crypto_t *this)
 {
-       return derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
-                                                          TLS_HKDF_S_AP_TRAFFIC);
+       if (!derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
+                                                        TLS_HKDF_S_AP_TRAFFIC))
+       {
+               return FALSE;
+       }
+
+       /* EAP-MSK */
+       if (this->msk_label)
+       {
+               /* because the length is encoded when expanding key material, we
+                * request the same number of bytes as FreeRADIUS (the first 64 for
+                * the MSK, the next for the EMSK, which we just ignore) */
+               if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty,
+                                                               this->handshake, 128, &this->msk))
+               {
+                       return FALSE;
+               }
+               this->msk.len = 64;
+       }
+       return TRUE;
 }
 
 METHOD(tls_crypto_t, update_app_keys, bool,