sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity

tls-crypto: Fix MSK calculation for TLS 1.3

Browse Source 
As noted in 121ac4b9e37e ("tls-crypto: Generate MSK for TLS 1.3"), the
calculation was only preliminary.  It is now fixed according to RFC 9190
and draft-ietf-emu-tls-eap-types (soon to become an RFC, currently in
the RFC editor queue).

Fixes: 121ac4b9e37e ("tls-crypto: Generate MSK for TLS 1.3")
This commit is contained in:
Tobias Brunner 2021-02-12 13:25:05 +01:00
parent 5a512ff56b
commit 06abdf1d31
1 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/libtls/tls_crypto.c
View File

@ -2312,11 +2312,27 @@ METHOD(tls_crypto_t, derive_app_keys, bool,
/* EAP-MSK */ /* EAP-MSK */
if (this->msk_label) if (this->msk_label)
{ {
uint8_t type;
switch (this->tls->get_purpose(this->tls))
{
case TLS_PURPOSE_EAP_TLS:
type = EAP_TLS;
break;
case TLS_PURPOSE_EAP_PEAP:
type = EAP_PEAP;
break;
case TLS_PURPOSE_EAP_TTLS:
type = EAP_TTLS;
break;
default:
return FALSE;
}
/* because the length is encoded when expanding key material, we /* because the length is encoded when expanding key material, we
* request the same number of bytes as FreeRADIUS (the first 64 for * request MSK and EMSK even if we don't use the latter */
* the MSK, the next for the EMSK, which we just ignore) */ if (!this->hkdf->export(this->hkdf, "EXPORTER_EAP_TLS_Key_Material",
if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty, chunk_from_thing(type), this->handshake, 128,
this->handshake, 128, &this->msk)) &this->msk))
{ {
return FALSE; return FALSE;
} }