Generate exporter_master_secret after server Finished

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4944)

1 files changed, 12 insertions, 3 deletions

diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index fe817f8f65..7975be54a8 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -581,9 +581,18 @@ int tls13_change_cipher_state(SSL *s, int which)
         goto err;
     }
 
-    if (label == server_application_traffic)
+    if (label == server_application_traffic) {
         memcpy(s->server_app_traffic_secret, secret, hashlen);
-    else if (label == client_application_traffic)
+        /* Now we create the exporter master secret */
+        if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,
+                               exporter_master_secret,
+                               sizeof(exporter_master_secret) - 1,
+                               hash, hashlen, s->exporter_master_secret,
+                               hashlen)) {
+            /* SSLfatal() already called */
+            goto err;
+        }
+    } else if (label == client_application_traffic)
         memcpy(s->client_app_traffic_secret, secret, hashlen);
 
     if (!ssl_log_secret(s, log_label, secret, hashlen)) {
@@ -667,7 +676,7 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
     unsigned int hashsize, datalen;
     int ret = 0;
 
-    if (ctx == NULL || !SSL_is_init_finished(s))
+    if (ctx == NULL)
         goto err;
 
     if (!use_context)