[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Fri Jul 7 14:08:09 UTC 2017


The branch master has been updated
       via  515982154031b679f58d5e2cbd7752294779221e (commit)
       via  8f81476145f75851a5f894e857ceb781aa979b99 (commit)
       via  b81bd33680ee7d886505783337e4f8ab89a27baf (commit)
       via  5a6ff161cc157c7ed4a113ec3b00402b89ac6431 (commit)
       via  a19ae67d8da53a4a5878e34d1070d3aeb1f5963c (commit)
       via  de2f409ef9de775df6db2c7de69b7bb0df21e380 (commit)
       via  9b6a82546151d6f971628e2d7828752ee47bfef7 (commit)
       via  07ff590f8f2d0affcd89afad103274100bb5705b (commit)
      from  9561e2a169f499f8346ffdd7541bc4e3d81d6711 (commit)


- Log -----------------------------------------------------------------
commit 515982154031b679f58d5e2cbd7752294779221e
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Jul 7 11:21:29 2017 +0100

    Updates following review feedback of TLSv1.3 draft-21 code
    
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    (Merged from https://github.com/openssl/openssl/pull/3852)

commit 8f81476145f75851a5f894e857ceb781aa979b99
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Jul 5 11:31:51 2017 +0100

    Update SSL_trace() to know about ticket_nonce
    
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    (Merged from https://github.com/openssl/openssl/pull/3852)

commit b81bd33680ee7d886505783337e4f8ab89a27baf
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Jul 5 11:26:10 2017 +0100

    Update the early_secret generation to use the new ticket_nonce field
    
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    (Merged from https://github.com/openssl/openssl/pull/3852)

commit 5a6ff161cc157c7ed4a113ec3b00402b89ac6431
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Jul 5 11:24:30 2017 +0100

    Update the test/session.pem to have a tick_nonce value
    
    Otherwise the ClientHello test fails
    
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    (Merged from https://github.com/openssl/openssl/pull/3852)

commit a19ae67d8da53a4a5878e34d1070d3aeb1f5963c
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Jul 5 11:23:16 2017 +0100

    Update tls13_hkdf_expand() to take the length of the data
    
    In most scenarios the length of the input data is the hashsize, or 0 if
    the data is NULL. However with the new ticket_nonce changes the length can
    be different.
    
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    (Merged from https://github.com/openssl/openssl/pull/3852)

commit de2f409ef9de775df6db2c7de69b7bb0df21e380
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Jul 5 10:45:02 2017 +0100

    The correct key length for a TLSv1.3 SHA384 ciphersuite is 48
    
    Our test was using 32. The latest ticket nonce changes now validate this
    value and so sslapitest was failing.
    
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    (Merged from https://github.com/openssl/openssl/pull/3852)

commit 9b6a82546151d6f971628e2d7828752ee47bfef7
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Jul 5 08:45:46 2017 +0100

    Send and receive the ticket_nonce field in a NewSessionTicket
    
    This just adds the processing for sending and receiving the newly added
    ticket_nonce field. It doesn't actually use it yet.
    
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    (Merged from https://github.com/openssl/openssl/pull/3852)

commit 07ff590f8f2d0affcd89afad103274100bb5705b
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Jul 4 11:02:02 2017 +0100

    Update the version number for TLSv1.3 draft 21
    
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    (Merged from https://github.com/openssl/openssl/pull/3852)

-----------------------------------------------------------------------

Summary of changes:
 include/openssl/tls1.h   |  6 +++---
 ssl/ssl_asn1.c           | 20 +++++++++++++++++++-
 ssl/ssl_locl.h           |  4 +++-
 ssl/ssl_sess.c           |  9 +++++++++
 ssl/statem/extensions.c  | 31 +++++++++++++++++++++++++++----
 ssl/statem/statem_clnt.c |  8 +++++++-
 ssl/statem/statem_srvr.c | 17 ++++++++++++++++-
 ssl/t1_trce.c            |  3 +++
 ssl/tls13_enc.c          | 35 +++++++++++++++++++----------------
 test/session.pem         | 17 +++++++++--------
 test/sslapitest.c        |  3 ++-
 test/tls13secretstest.c  |  4 ++--
 util/TLSProxy/Record.pm  |  2 +-
 13 files changed, 120 insertions(+), 39 deletions(-)

diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 0878851..d929099 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -30,9 +30,9 @@ extern "C" {
 # define TLS1_3_VERSION                  0x0304
 # define TLS_MAX_VERSION                 TLS1_3_VERSION
 
-/* TODO(TLS1.3) REMOVE ME: Version indicator for draft -20 */
-# define TLS1_3_VERSION_DRAFT            0x7f14
-# define TLS1_3_VERSION_DRAFT_TXT        "TLS 1.3 (draft 20)"
+/* TODO(TLS1.3) REMOVE ME: Version indicator for draft -21 */
+# define TLS1_3_VERSION_DRAFT            0x7f15
+# define TLS1_3_VERSION_DRAFT_TXT        "TLS 1.3 (draft 21)"
 
 /* Special value for method supporting multiple versions */
 # define TLS_ANY_VERSION                 0x10000
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 340fcf2..f6019bc 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -41,6 +41,7 @@ typedef struct {
     uint64_t flags;
     uint32_t max_early_data;
     ASN1_OCTET_STRING *alpn_selected;
+    ASN1_OCTET_STRING *tick_nonce;
 } SSL_SESSION_ASN1;
 
 ASN1_SEQUENCE(SSL_SESSION_ASN1) = {
@@ -69,7 +70,8 @@ ASN1_SEQUENCE(SSL_SESSION_ASN1) = {
     ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, flags, ZUINT64, 13),
     ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, tlsext_tick_age_add, ZUINT32, 14),
     ASN1_EXP_OPT_EMBED(SSL_SESSION_ASN1, max_early_data, ZUINT32, 15),
-    ASN1_EXP_OPT(SSL_SESSION_ASN1, alpn_selected, ASN1_OCTET_STRING, 16)
+    ASN1_EXP_OPT(SSL_SESSION_ASN1, alpn_selected, ASN1_OCTET_STRING, 16),
+    ASN1_EXP_OPT(SSL_SESSION_ASN1, tick_nonce, ASN1_OCTET_STRING, 17)
 } static_ASN1_SEQUENCE_END(SSL_SESSION_ASN1)
 
 IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(SSL_SESSION_ASN1)
@@ -118,6 +120,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
     ASN1_OCTET_STRING psk_identity, psk_identity_hint;
 #endif
     ASN1_OCTET_STRING alpn_selected;
+    ASN1_OCTET_STRING tick_nonce;
 
     long l;
 
@@ -187,6 +190,12 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
         ssl_session_oinit(&as.alpn_selected, &alpn_selected,
                           in->ext.alpn_selected, in->ext.alpn_selected_len);
 
+    if (in->ext.tick_nonce == NULL)
+        as.tick_nonce = NULL;
+    else
+        ssl_session_oinit(&as.tick_nonce, &tick_nonce,
+                          in->ext.tick_nonce, in->ext.tick_nonce_len);
+
     return i2d_SSL_SESSION_ASN1(&as, pp);
 
 }
@@ -352,6 +361,15 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
         ret->ext.alpn_selected_len = 0;
     }
 
+    if (as->tick_nonce != NULL) {
+        ret->ext.tick_nonce = as->tick_nonce->data;
+        ret->ext.tick_nonce_len = as->tick_nonce->length;
+        as->tick_nonce->data = NULL;
+    } else {
+        ret->ext.tick_nonce = NULL;
+        ret->ext.tick_nonce_len = 0;
+    }
+
     M_ASN1_free_of(as, SSL_SESSION_ASN1);
 
     if ((a != NULL) && (*a == NULL))
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 1105416..168e5dd 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -551,6 +551,8 @@ struct ssl_session_st {
         /* Session lifetime hint in seconds */
         unsigned long tick_lifetime_hint;
         uint32_t tick_age_add;
+        unsigned char *tick_nonce;
+        size_t tick_nonce_len;
         int tick_identity;
         /* Max number of bytes that can be sent as early data */
         uint32_t max_early_data;
@@ -2263,7 +2265,7 @@ __owur int tls13_update_key(SSL *s, int send);
 __owur int tls13_hkdf_expand(SSL *s, const EVP_MD *md,
                              const unsigned char *secret,
                              const unsigned char *label, size_t labellen,
-                             const unsigned char *hash,
+                             const unsigned char *data, size_t datalen,
                              unsigned char *out, size_t outlen);
 __owur int tls13_derive_key(SSL *s, const EVP_MD *md,
                             const unsigned char *secret, unsigned char *key,
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index e7fe714..a1d2013 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -128,6 +128,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
 #endif
     dest->peer_chain = NULL;
     dest->peer = NULL;
+    dest->ext.tick_nonce = NULL;
     memset(&dest->ex_data, 0, sizeof(dest->ex_data));
 
     /* We deliberately don't copy the prev and next pointers */
@@ -222,6 +223,13 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
         }
     }
 
+    if (src->ext.tick_nonce != NULL) {
+        dest->ext.tick_nonce = OPENSSL_memdup(src->ext.tick_nonce,
+                                              src->ext.tick_nonce_len);
+        if (dest->ext.tick_nonce == NULL)
+            goto err;
+    }
+
 #ifndef OPENSSL_NO_SRP
     if (src->srp_username) {
         dest->srp_username = OPENSSL_strdup(src->srp_username);
@@ -785,6 +793,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
     OPENSSL_free(ss->srp_username);
 #endif
     OPENSSL_free(ss->ext.alpn_selected);
+    OPENSSL_free(ss->ext.tick_nonce);
     CRYPTO_THREAD_lock_free(ss->lock);
     OPENSSL_clear_free(ss, sizeof(*ss));
 }
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 4965231..9e25a3e 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1234,9 +1234,11 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
     EVP_MD_CTX *mctx = NULL;
     unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
     unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
-    unsigned char *early_secret;
+    unsigned char tmppsk[EVP_MAX_MD_SIZE];
+    unsigned char *early_secret, *psk;
     const char resumption_label[] = "res binder";
     const char external_label[] = "ext binder";
+    const char nonce_label[] = "resumption";
     const char *label;
     size_t bindersize, labelsize, hashsize = EVP_MD_size(md);
     int ret = -1;
@@ -1249,6 +1251,28 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
         labelsize = sizeof(resumption_label) - 1;
     }
 
+    if (sess->master_key_length != hashsize) {
+        SSLerr(SSL_F_TLS_PSK_DO_BINDER, SSL_R_BAD_PSK);
+        goto err;
+    }
+
+    if (external) {
+        psk = sess->master_key;
+    } else {
+        if (sess->ext.tick_nonce == NULL) {
+            SSLerr(SSL_F_TLS_PSK_DO_BINDER, SSL_R_BAD_PSK);
+            goto err;
+        }
+        psk = tmppsk;
+        if (!tls13_hkdf_expand(s, md, sess->master_key,
+                               (const unsigned char *)nonce_label,
+                               sizeof(nonce_label) - 1, sess->ext.tick_nonce,
+                               sess->ext.tick_nonce_len, psk, hashsize)) {
+            SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
+    }
+
     /*
      * Generate the early_secret. On the server side we've selected a PSK to
      * resume with (internal or external) so we always do this. On the client
@@ -1260,8 +1284,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
         early_secret = (unsigned char *)s->early_secret;
     else
         early_secret = (unsigned char *)sess->early_secret;
-    if (!tls13_generate_secret(s, md, NULL, sess->master_key,
-                               sess->master_key_length, early_secret)) {
+    if (!tls13_generate_secret(s, md, NULL, psk, hashsize, early_secret)) {
         SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
         goto err;
     }
@@ -1280,7 +1303,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
 
     /* Generate the binder key */
     if (!tls13_hkdf_expand(s, md, early_secret, (unsigned char *)label,
-                           labelsize, hash, binderkey, hashsize)) {
+                           labelsize, hash, hashsize, binderkey, hashsize)) {
         SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
         goto err;
     }
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 53aa1dc..e6c7226 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2421,9 +2421,15 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
     unsigned long ticket_lifetime_hint, age_add = 0;
     unsigned int sess_len;
     RAW_EXTENSION *exts = NULL;
+    PACKET nonce;
 
     if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
-        || (SSL_IS_TLS13(s) && !PACKET_get_net_4(pkt, &age_add))
+        || (SSL_IS_TLS13(s)
+            && (!PACKET_get_net_4(pkt, &age_add)
+                || !PACKET_get_length_prefixed_1(pkt, &nonce)
+                || PACKET_remaining(&nonce) == 0
+                || !PACKET_memdup(&nonce, &s->session->ext.tick_nonce,
+                                  &s->session->ext.tick_nonce_len)))
         || !PACKET_get_net_2(pkt, &ticklen)
         || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) != ticklen)
         || (SSL_IS_TLS13(s)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 05405b0..f3f54d4 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3381,6 +3381,19 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
         if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0)
             goto err;
         s->session->ext.tick_age_add = age_add_u.age_add;
+       /*
+        * ticket_nonce is set to a single 0 byte because we only ever send a
+        * single ticket per connection. IMPORTANT: If we ever support multiple
+        * tickets per connection then this will need to be changed.
+        */
+        OPENSSL_free(s->session->ext.tick_nonce);
+        s->session->ext.tick_nonce = OPENSSL_zalloc(sizeof(char));
+        if (s->session->ext.tick_nonce == NULL) {
+            SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
+                   ERR_R_MALLOC_FAILURE);
+            goto err;
+        }
+        s->session->ext.tick_nonce_len = 1;
         s->session->time = (long)time(NULL);
         if (s->s3->alpn_selected != NULL) {
             OPENSSL_free(s->session->ext.alpn_selected);
@@ -3497,7 +3510,9 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
                                (s->hit && !SSL_IS_TLS13(s))
                                ? 0 : s->session->timeout)
             || (SSL_IS_TLS13(s)
-                && !WPACKET_put_bytes_u32(pkt, age_add_u.age_add))
+                && (!WPACKET_put_bytes_u32(pkt, age_add_u.age_add)
+                    || !WPACKET_sub_memcpy_u8(pkt, s->session->ext.tick_nonce,
+                                              s->session->ext.tick_nonce_len)))
                /* Now the actual ticket data */
             || !WPACKET_start_sub_packet_u16(pkt)
             || !WPACKET_get_total_written(pkt, &macoffset)
diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index 1067a75..ce98581 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -1341,6 +1341,9 @@ static int ssl_print_ticket(BIO *bio, int indent, SSL *s,
         msg += 4;
         BIO_indent(bio, indent + 2, 80);
         BIO_printf(bio, "ticket_age_add=%u\n", ticket_age_add);
+        if (!ssl_print_hexbuf(bio, indent + 2, "ticket_nonce", 1, &msg,
+                              &msglen))
+            return 0;
     }
     if (!ssl_print_hexbuf(bio, indent + 2, "ticket", 2, &msg, &msglen))
         return 0;
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 92b1f19..44d8ba9 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -18,14 +18,14 @@
 static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
 
 /*
- * Given a |secret|; a |label| of length |labellen|; and a |hash| of the
- * handshake messages, derive a new secret |outlen| bytes long and store it in
- * the location pointed to be |out|. The |hash| value may be NULL. Returns 1 on
- * success  0 on failure.
+ * Given a |secret|; a |label| of length |labellen|; and |data| of length
+ * |datalen| (e.g. typically a hash of the handshake messages), derive a new
+ * secret |outlen| bytes long and store it in the location pointed to be |out|.
+ * The |data| value may be zero length. Returns 1 on success  0 on failure.
  */
 int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
                              const unsigned char *label, size_t labellen,
-                             const unsigned char *hash,
+                             const unsigned char *data, size_t datalen,
                              unsigned char *out, size_t outlen)
 {
     const unsigned char label_prefix[] = "tls13 ";
@@ -53,7 +53,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
             || !WPACKET_memcpy(&pkt, label_prefix, sizeof(label_prefix) - 1)
             || !WPACKET_memcpy(&pkt, label, labellen)
             || !WPACKET_close(&pkt)
-            || !WPACKET_sub_memcpy_u8(&pkt, hash, (hash == NULL) ? 0 : hashlen)
+            || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen)
             || !WPACKET_get_total_written(&pkt, &hkdflabellen)
             || !WPACKET_finish(&pkt)) {
         EVP_PKEY_CTX_free(pctx);
@@ -84,7 +84,7 @@ int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret,
     static const unsigned char keylabel[] = "key";
 
     return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1,
-                             NULL, key, keylen);
+                             NULL, 0, key, keylen);
 }
 
 /*
@@ -97,7 +97,7 @@ int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret,
     static const unsigned char ivlabel[] = "iv";
 
     return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1,
-                             NULL, iv, ivlen);
+                             NULL, 0, iv, ivlen);
 }
 
 int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
@@ -107,7 +107,7 @@ int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
     static const unsigned char finishedlabel[] = "finished";
 
     return tls13_hkdf_expand(s, md, secret, finishedlabel,
-                             sizeof(finishedlabel) - 1, NULL, fin, finlen);
+                             sizeof(finishedlabel) - 1, NULL, 0, fin, finlen);
 }
 
 /*
@@ -156,7 +156,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
         /* Generate the pre-extract secret */
         if (!tls13_hkdf_expand(s, md, prevsecret,
                                (unsigned char *)derived_secret_label,
-                               sizeof(derived_secret_label) - 1, hash,
+                               sizeof(derived_secret_label) - 1, hash, mdlen,
                                preextractsec, mdlen)) {
             EVP_PKEY_CTX_free(pctx);
             return 0;
@@ -282,8 +282,8 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
     size_t ivlen, keylen, taglen;
     size_t hashlen = EVP_MD_size(md);
 
-    if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, secret,
-                           hashlen)) {
+    if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen,
+                           secret, hashlen)) {
         SSLerr(SSL_F_DERIVE_SECRET_KEY_AND_IV, ERR_R_INTERNAL_ERROR);
         goto err;
     }
@@ -505,7 +505,8 @@ int tls13_change_cipher_state(SSL *s, int which)
         if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,
                                resumption_master_secret,
                                sizeof(resumption_master_secret) - 1,
-                               hashval, s->session->master_key, hashlen)) {
+                               hashval, hashlen, s->session->master_key,
+                               hashlen)) {
             SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
             goto err;
         }
@@ -515,7 +516,8 @@ int tls13_change_cipher_state(SSL *s, int which)
         if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,
                                exporter_master_secret,
                                sizeof(exporter_master_secret) - 1,
-                               hash, s->exporter_master_secret, hashlen)) {
+                               hash, hashlen, s->exporter_master_secret,
+                               hashlen)) {
             SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
             goto err;
         }
@@ -621,10 +623,11 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
             || EVP_DigestUpdate(ctx, context, contextlen) <= 0
             || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0
             || !tls13_hkdf_expand(s, md, s->exporter_master_secret,
-                                  (const unsigned char *)label, llen, NULL,
+                                  (const unsigned char *)label, llen, NULL, 0,
                                   exportsecret, hashsize)
             || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
-                                  sizeof(exporterlabel) - 1, hash, out, olen))
+                                  sizeof(exporterlabel) - 1, hash, hashsize,
+                                  out, olen))
         goto err;
 
     ret = 1;
diff --git a/test/session.pem b/test/session.pem
index fa23277..8b01ffc 100644
--- a/test/session.pem
+++ b/test/session.pem
@@ -1,7 +1,7 @@
 -----BEGIN SSL SESSION PARAMETERS-----
-MIIFMAIBAQICAwQEAhMCBCAuhyL8Neo+jOicuNiWOzIDX/HXQRGGkgru3aX+p7+6
-CgQwXZWvZnbuON/qITvDWC7KoECPjyThlAd3fRe7ZxD/6C+vqf+SpSUMcxS7P24t
-RyXYoQYCBFjKfImiBAICHCCjggPrMIID5zCCAs+gAwIBAgIJALnu1NlVpZ6zMA0G
+MIIFRAIBAQICAwQEAhMCBCDom190ggLdEV9HNhMrbc8/MLs9NS3nqoWFoIJLgQqS
+tgQwzskkzvykWInToBTKeUhVYe4BidOBYHdHZ65Z2ETBf63lz1dMKRraxwl6K07f
+BUyBoQYCBFlct3qiBAICHCCjggPrMIID5zCCAs+gAwIBAgIJALnu1NlVpZ6zMA0G
 CSqGSIb3DQEBBQUAMHAxCzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdy
 b3VwMSIwIAYDVQQLDBlGT1IgVEVTVElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQD
 DBxPcGVuU1NMIFRlc3QgSW50ZXJtZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoX
@@ -22,9 +22,10 @@ Wz9qoeoFZax+QBpIZYjROU3TS3fpyLsrnlr0CDQ5R7kCCDGa8dkXxemmpZZLbUCp
 W2Uoy8sAA4JjN9OtsZY7dvUXFgJ7vVNTRnI01ghknbtD+2SxSQd3CWF6QhcRMAzZ
 J1z1cbbwGDDzfvGFPzJ+Sq+zEPdsxoVLLSetCiBc+40ZcDS5dV98h9XD7JMTQfxz
 A7mNGv73JoZJA6nFgj+ADSlJsY/tJBv+z1iQRueoh9Qeee+ZbRifPouCB8FDx+Al
-tvHTANdAq0t/K3o+pplMVKQCBAClAwIBFakEAgIcIKqBswSBsKXqWrhXS9CdUYkn
-yj8+BRslsixGMMFyWSHsivOMmAf3dX5z/iDaY8cqytsRkNRKzlSPjblplzcGo9pz
-sUazmp39cWRsWrKJs2izBxqVRcp4rpzzDCSTZK3UiY2uhKgGmC2WPwIMyxuEya00
-rmMgKGee7AQPG8qQGQgDEd/6Vh1ZPbpsh+XQW42ZgMhc4iDsRETH/DTlRkm527lH
-IA1ez17Zk5vMIa65o82opA4KCVRqrgcCBQDXFjTErwQCAkAA
+tvHTANdAq0t/K3o+pplMVKQCBAClAwIBFakEAgIcIKqBwwSBwFNYKC1r6z0zp+wI
+V+A8n63Wh4X/0HtKa7dJCGhvLxjI+BL9QK8JB2Qrs3OR32VjVyVWD9K0atHwhyTR
+wwFJfBEfgv9reCtOiQg2oHadD3iCbHjhhGCvbj+zCChMGSEE8NtqkBpwGATtwgN7
+qoLShh+JyHwhfXWKhKlEibr8W0ipe6R3VUW9+wsW8nTGs4FmvQSIkLI1WCr226LN
+wkRIx5+3Q3mZB39Epco4srvyLy8J/B+x2lhUdIpov7VBz++C864GAgRYHFWqrwQC
+AkAAsQMEAQA=
 -----END SSL SESSION PARAMETERS-----
diff --git a/test/sslapitest.c b/test/sslapitest.c
index ae5c4c0..b77a229 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -2002,7 +2002,8 @@ static int test_tls13_psk(void)
     const unsigned char key[] = {
         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-        0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
+        0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
+        0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
     };
     int testresult = 0;
 
diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c
index daccd7c..e052d0b 100644
--- a/test/tls13secretstest.c
+++ b/test/tls13secretstest.c
@@ -226,8 +226,8 @@ static int test_secret(SSL *s, unsigned char *prk,
         return 0;
     }
 
-    if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, gensecret,
-                           hashsize)) {
+    if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
+                           gensecret, hashsize)) {
         TEST_error("Secret generation failed");
         return 0;
     }
diff --git a/util/TLSProxy/Record.pm b/util/TLSProxy/Record.pm
index 8c6e901..5017c90 100644
--- a/util/TLSProxy/Record.pm
+++ b/util/TLSProxy/Record.pm
@@ -36,7 +36,7 @@ my %record_type = (
 
 use constant {
     VERS_TLS_1_4 => 0x0305,
-    VERS_TLS_1_3_DRAFT => 0x7f14,
+    VERS_TLS_1_3_DRAFT => 0x7f15,
     VERS_TLS_1_3 => 0x0304,
     VERS_TLS_1_2 => 0x0303,
     VERS_TLS_1_1 => 0x0302,


More information about the openssl-commits mailing list