tls-crypto: Fix MSK calculation for TLS 1.3

As noted in 121ac4b ("tls-crypto: Generate MSK for TLS 1.3"), the calculation was only preliminary. It is now fixed according to RFC 9190 and draft-ietf-emu-tls-eap-types (soon to become an RFC, currently in the RFC editor queue). Fixes: 121ac4b ("tls-crypto: Generate MSK for TLS 1.3")
strongswan · Feb 22, 2023 · 06abdf1 · 06abdf1
1 parent 5a512ff
commit 06abdf1
Showing 1 changed file with 20 additions and 4 deletions.
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
@@ -2312,11 +2312,27 @@ METHOD(tls_crypto_t, derive_app_keys, bool,
 	/* EAP-MSK */
 	if (this->msk_label)
 	{
+		uint8_t type;
+
+		switch (this->tls->get_purpose(this->tls))
+		{
+			case TLS_PURPOSE_EAP_TLS:
+				type = EAP_TLS;
+				break;
+			case TLS_PURPOSE_EAP_PEAP:
+				type = EAP_PEAP;
+				break;
+			case TLS_PURPOSE_EAP_TTLS:
+				type = EAP_TTLS;
+				break;
+			default:
+				return FALSE;
+		}
 		/* because the length is encoded when expanding key material, we
-		 * request the same number of bytes as FreeRADIUS (the first 64 for
-		 * the MSK, the next for the EMSK, which we just ignore) */
-		if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty,
-								this->handshake, 128, &this->msk))
+		 * request MSK and EMSK even if we don't use the latter */
+		if (!this->hkdf->export(this->hkdf, "EXPORTER_EAP_TLS_Key_Material",
+								chunk_from_thing(type), this->handshake, 128,
+								&this->msk))
 		{
 			return FALSE;
 		}