- /* Generate the early_secret */
- if (!tls13_generate_secret(s, md, NULL, s->session->master_key,
- s->session->master_key_length,
- (unsigned char *)&s->early_secret)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
- goto err;
- }
-
- /*
- * Create the handshake hash for the binder key...the messages so far are
- * empty!
- */
- mctx = EVP_MD_CTX_new();
- if (mctx == NULL
- || EVP_DigestInit_ex(mctx, md, NULL) <= 0
- || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
- goto err;
- }
-
- /* Generate the binder key */
- if (!tls13_hkdf_expand(s, md, s->early_secret,
- (unsigned char *)resumption_label,
- sizeof(resumption_label) - 1, hash, binderkey,
- hashsize)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
- goto err;
- }
-
- /* Generate the finished key */
- if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
- goto err;
- }
-
- /*
- * Get a hash of the ClientHello up to the start of the binders.
- * TODO(TLS1.3): This will need to be tweaked when we implement
- * HelloRetryRequest to include the digest of the previous messages here.
- */
- if (EVP_DigestInit_ex(mctx, md, NULL) <= 0
- || EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0
- || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
- goto err;
- }
-
- mackey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, finishedkey, hashsize);
- bindersize = hashsize;
- if (binderkey == NULL
- || EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0
- || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
- || EVP_DigestSignFinal(mctx, binder, &bindersize) <= 0
- || bindersize != hashsize) {