TLS 1.3: fix exporter secret computation

on the client, if a client certificate was used, this was included in the transcript -- we now call it earlier on the server, an empty master secret was used, so the exporter secret never matched this has been validated with the OCaml-TLS implementation itself (now, a client and server talking to each other compute the same exporter secret). also a "openssl s_server" with a "test_client.exe" using TLS 1.3 compute the very same exporter key material now.
mirleft · May 10, 2024 · 29d6ad5 · 29d6ad5
1 parent 22291c4
commit 29d6ad5
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/lib/handshake_client13.ml b/lib/handshake_client13.ml
@@ -146,6 +146,7 @@ let answer_finished state (session : session_data13) server_hs_secret client_hs_
  let server_app_secret, server_app_ctx, client_app_secret, client_app_ctx =
  Handshake_crypto13.app_ctx session.master_secret log
  in
+ let exporter_master_secret = Handshake_crypto13.exporter session.master_secret log in
 
  let* c_cv, log =
  if session.common_session_data13.client_auth then
@@ -181,7 +182,6 @@ let answer_finished state (session : session_data13) server_hs_secret client_hs_
  let myfin = Handshake_crypto13.finished hash client_hs_secret log in
  let mfin = Writer.assemble_handshake (Finished myfin) in
 
- let exporter_master_secret = Handshake_crypto13.exporter session.master_secret log in
  let resumption_secret = Handshake_crypto13.resumption session.master_secret (log <+> mfin) in
  let session = { session with resumption_secret ; exporter_master_secret ; client_app_secret ; server_app_secret } in
  let machina = Client13 Established13 in

diff --git a/lib/handshake_server13.ml b/lib/handshake_server13.ml
@@ -311,7 +311,8 @@ let answer_client_hello ~hrr state ch raw =
  let server_app_secret, server_app_ctx, client_app_secret, client_app_ctx =
  app_ctx master_secret log
  in
- let session' = { session' with server_app_secret ; client_app_secret } in
+ let exporter_master_secret = Handshake_crypto13.exporter master_secret log in
+ let session' = { session' with server_app_secret ; client_app_secret ; exporter_master_secret } in
 
  let* () =
  guard (Cstruct.length state.hs_fragment = 0)
@@ -342,8 +343,7 @@ let answer_client_hello ~hrr state ch raw =
 
  let session =
  let common_session_data13 = { session'.common_session_data13 with master_secret = master_secret.secret } in
- let exporter_master_secret = Handshake_crypto13.exporter session.master_secret log in
- { session' with common_session_data13 ; master_secret ; exporter_master_secret }
+ { session' with common_session_data13 ; master_secret }
  in
  let st, session =
  if can_use_early_data then