handshake: generate early exporter secret

Signed-off-by: Daiki Ueno <dueno@redhat.com>

2 files changed, 13 insertions, 1 deletions

diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c
index 42f728286b..436a426a87 100644
--- a/lib/ext/pre_shared_key.c
+++ b/lib/ext/pre_shared_key.c
@@ -207,6 +207,18 @@ generate_early_secrets(gnutls_session_t session,
 				 session->key.proto.tls13.e_ckey,
 				 prf->output_size);
 
+	ret = _tls13_derive_secret2(prf, EARLY_EXPORTER_MASTER_LABEL, sizeof(EARLY_EXPORTER_MASTER_LABEL)-1,
+				    session->internals.handshake_hash_buffer.data,
+				    session->internals.handshake_hash_buffer_client_hello_len,
+				    session->key.proto.tls13.temp_secret,
+				    session->key.proto.tls13.ap_expkey);
+	if (ret < 0)
+		return gnutls_assert_val(ret);
+
+	_gnutls_nss_keylog_write(session, "EARLY_EXPORTER_SECRET",
+				 session->key.proto.tls13.ap_expkey,
+				 prf->output_size);
+
 	return 0;
 }
 
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 72d6c066b6..53ca32b19c 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -537,7 +537,7 @@ struct gnutls_key_st {
 			uint8_t hs_skey[MAX_HASH_SIZE]; /* server_hs_traffic_secret */
 			uint8_t ap_ckey[MAX_HASH_SIZE]; /* client_ap_traffic_secret */
 			uint8_t ap_skey[MAX_HASH_SIZE]; /* server_ap_traffic_secret */
-			uint8_t ap_expkey[MAX_HASH_SIZE]; /* exporter_master_secret */
+			uint8_t ap_expkey[MAX_HASH_SIZE]; /* {early_,}exporter_master_secret */
 			uint8_t ap_rms[MAX_HASH_SIZE]; /* resumption_master_secret */
 		} tls13; /* tls1.3 */