From a3890a34274735b361214ce6eeebf43c700c1c27 Mon Sep 17 00:00:00 2001
From: lhuang04 <lhuang04@fb.com>
Date: Tue, 4 Jan 2022 09:47:20 -0800
Subject: [PATCH] Swap the client and server random for TLS 1.3

Summary:

Test Plan:

Reviewers:

Subscribers:

Tasks:

Tags:
Signed-off-by: lhuang04 <lhuang04@fb.com>
---
 ChangeLog.d/tls13_f_export_keys.txt | 3 +++
 library/ssl_tls13_keys.c            | 8 ++++----
 2 files changed, 7 insertions(+), 4 deletions(-)
 create mode 100644 ChangeLog.d/tls13_f_export_keys.txt

diff --git a/ChangeLog.d/tls13_f_export_keys.txt b/ChangeLog.d/tls13_f_export_keys.txt
new file mode 100644
index 000000000..31debc289
--- /dev/null
+++ b/ChangeLog.d/tls13_f_export_keys.txt
@@ -0,0 +1,3 @@
+Bugfix
+   * Fixed swap of client and server random bytes when exporting them alongside
+     TLS 1.3 handshake and application traffic secret.
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index 99eb8a4ca..eb84be558 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -1010,16 +1010,16 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl,
                 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET,
                 tls13_hs_secrets->client_handshake_traffic_secret,
                 md_size,
-                handshake->randbytes + 32,
                 handshake->randbytes,
+                handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
                 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ );
 
         ssl->f_export_keys( ssl->p_export_keys,
                 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET,
                 tls13_hs_secrets->server_handshake_traffic_secret,
                 md_size,
-                handshake->randbytes + 32,
                 handshake->randbytes,
+                handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
                 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ );
     }
 
@@ -1215,16 +1215,16 @@ int mbedtls_ssl_tls13_generate_application_keys(
         ssl->f_export_keys( ssl->p_export_keys,
                 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET,
                 app_secrets->client_application_traffic_secret_N, md_size,
-                handshake->randbytes + 32,
                 handshake->randbytes,
+                handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
                 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
                                             a new constant for TLS 1.3! */ );
 
         ssl->f_export_keys( ssl->p_export_keys,
                 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET,
                 app_secrets->server_application_traffic_secret_N, md_size,
-                handshake->randbytes + 32,
                 handshake->randbytes,
+                handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
                 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
                                             a new constant for TLS 1.3! */ );
     }