From: Tobias Brunner Date: Fri, 12 Feb 2021 12:25:05 +0000 (+0100) Subject: tls-crypto: Fix MSK calculation for TLS 1.3 X-Git-Tag: 5.9.10rc1~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=06abdf1d31f5cee7ee90611e2ee7f390b2a3c9a4;p=thirdparty%2Fstrongswan.git tls-crypto: Fix MSK calculation for TLS 1.3 As noted in 121ac4b9e37e ("tls-crypto: Generate MSK for TLS 1.3"), the calculation was only preliminary. It is now fixed according to RFC 9190 and draft-ietf-emu-tls-eap-types (soon to become an RFC, currently in the RFC editor queue). Fixes: 121ac4b9e37e ("tls-crypto: Generate MSK for TLS 1.3") --- diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index 1b787ca4b6..04fc8201ac 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -2312,11 +2312,27 @@ METHOD(tls_crypto_t, derive_app_keys, bool, /* EAP-MSK */ if (this->msk_label) { + uint8_t type; + + switch (this->tls->get_purpose(this->tls)) + { + case TLS_PURPOSE_EAP_TLS: + type = EAP_TLS; + break; + case TLS_PURPOSE_EAP_PEAP: + type = EAP_PEAP; + break; + case TLS_PURPOSE_EAP_TTLS: + type = EAP_TTLS; + break; + default: + return FALSE; + } /* because the length is encoded when expanding key material, we - * request the same number of bytes as FreeRADIUS (the first 64 for - * the MSK, the next for the EMSK, which we just ignore) */ - if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty, - this->handshake, 128, &this->msk)) + * request MSK and EMSK even if we don't use the latter */ + if (!this->hkdf->export(this->hkdf, "EXPORTER_EAP_TLS_Key_Material", + chunk_from_thing(type), this->handshake, 128, + &this->msk)) { return FALSE; }