From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Thu, 21 Jun 2018 13:05:40 +0000 (+0200)
Subject: key update: corrected generation of keys
X-Git-Tag: gnutls_3_6_3~55
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=241d579382e939e893b238e5fd0604cc174ffd80;p=thirdparty%2Fgnutls.git

key update: corrected generation of keys

Resolves #485

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---

diff --git a/lib/constate.c b/lib/constate.c
index cdf9ed6479..b1086fd838 100644
--- a/lib/constate.c
+++ b/lib/constate.c
@@ -248,13 +248,16 @@ _tls13_update_keys(gnutls_session_t session, hs_stage_t stage,
 						 buf, sizeof(buf), NULL));
 	}
 
+
 	if ((session->security_parameters.entity == GNUTLS_CLIENT && stage == STAGE_UPD_OURS) ||
 	    (session->security_parameters.entity == GNUTLS_SERVER && stage == STAGE_UPD_PEERS)) {
+
 		/* client keys */
-		ret = _tls13_derive_secret(session, APPLICATION_TRAFFIC_UPDATE,
+		ret = _tls13_expand_secret(session, APPLICATION_TRAFFIC_UPDATE,
 					   sizeof(APPLICATION_TRAFFIC_UPDATE)-1,
 					   NULL, 0,
-					   session->key.proto.tls13.temp_secret,
+					   session->key.proto.tls13.hs_ckey,
+					   session->security_parameters.prf->output_size,
 					   session->key.proto.tls13.hs_ckey);
 		if (ret < 0)
 			return gnutls_assert_val(ret);
@@ -267,10 +270,11 @@ _tls13_update_keys(gnutls_session_t session, hs_stage_t stage,
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 	} else {
-		ret = _tls13_derive_secret(session, APPLICATION_TRAFFIC_UPDATE,
+		ret = _tls13_expand_secret(session, APPLICATION_TRAFFIC_UPDATE,
 					   sizeof(APPLICATION_TRAFFIC_UPDATE)-1,
 					   NULL, 0,
-					   session->key.proto.tls13.temp_secret,
+					   session->key.proto.tls13.hs_skey,
+					   session->security_parameters.prf->output_size,
 					   session->key.proto.tls13.hs_skey);
 		if (ret < 0)
 			return gnutls_assert_val(ret);
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index b27fa01130..99287b3726 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -503,8 +503,8 @@ struct gnutls_key_st {
 			 * early_secret, client_early_traffic_secret, ... */
 			uint8_t temp_secret[MAX_HASH_SIZE];
 			unsigned temp_secret_size; /* depends on negotiated PRF size */
-			uint8_t hs_ckey[MAX_HASH_SIZE]; /* client_handshake_traffic_secret */
-			uint8_t hs_skey[MAX_HASH_SIZE]; /* server_handshake_traffic_secret */
+			uint8_t hs_ckey[MAX_HASH_SIZE]; /* client_hs_traffic_secret/client_ap_traffic_secret */
+			uint8_t hs_skey[MAX_HASH_SIZE]; /* server_hs_traffic_secret/server_ap_traffic_secret */
 			uint8_t ap_expkey[MAX_HASH_SIZE]; /* exporter_master_secret */
 			uint8_t ap_rms[MAX_HASH_SIZE]; /* resumption_master_secret */
 		} tls13; /* tls1.3 */
diff --git a/lib/state.c b/lib/state.c
index 2c63001c2b..7276c2c43f 100644
--- a/lib/state.c
+++ b/lib/state.c
@@ -224,10 +224,6 @@ static void deinit_keys(gnutls_session_t session)
 	} else {
 		gnutls_memset(session->key.proto.tls13.temp_secret, 0,
 			      sizeof(session->key.proto.tls13.temp_secret));
-		gnutls_memset(session->key.proto.tls13.hs_ckey, 0,
-			      sizeof(session->key.proto.tls13.hs_ckey));
-		gnutls_memset(session->key.proto.tls13.hs_skey, 0,
-			      sizeof(session->key.proto.tls13.hs_skey));
 	}
 
 	reset_binders(session);