@@ -505,10 +505,7 @@ static int quic_change_cipher_state(SSL *s, int which)
505505 || !tls13_hkdf_expand (s , md , s -> master_secret , server_application_traffic ,
506506 sizeof (server_application_traffic )- 1 , hash , hashlen ,
507507 s -> server_app_traffic_secret , hashlen , 1 )
508- || !ssl_log_secret (s , SERVER_APPLICATION_LABEL , s -> server_app_traffic_secret , hashlen )
509- || !tls13_hkdf_expand (s , md , s -> master_secret , resumption_master_secret ,
510- sizeof (resumption_master_secret )- 1 , hash , hashlen ,
511- s -> resumption_master_secret , hashlen , 1 )) {
508+ || !ssl_log_secret (s , SERVER_APPLICATION_LABEL , s -> server_app_traffic_secret , hashlen )) {
512509 /* SSLfatal() already called */
513510 goto err ;
514511 }
@@ -522,6 +519,8 @@ static int quic_change_cipher_state(SSL *s, int which)
522519 else
523520 s -> quic_read_level = level ;
524521 } else {
522+ /* is_client_write || is_server_read */
523+
525524 if (is_early ) {
526525 level = ssl_encryption_early_data ;
527526
@@ -537,6 +536,16 @@ static int quic_change_cipher_state(SSL *s, int which)
537536 level = ssl_encryption_handshake ;
538537 } else {
539538 level = ssl_encryption_application ;
539+ /*
540+ * We also create the resumption master secret, but this time use the
541+ * hash for the whole handshake including the Client Finished
542+ */
543+ if (!tls13_hkdf_expand (s , md , s -> master_secret , resumption_master_secret ,
544+ sizeof (resumption_master_secret )- 1 , hash , hashlen ,
545+ s -> resumption_master_secret , hashlen , 1 )) {
546+ /* SSLfatal() already called */
547+ goto err ;
548+ }
540549 }
541550
542551 if (s -> server )
0 commit comments