On Fri, Oct 07, 2016 at 06:41:35PM +0900, Kazuho Oku wrote: > Hi, > > Recently I have started writing a TLS 1.3 implementation. While > working on it, I have noticed the following. > > In section 4.4.3, the hash value used for building the HMAC is defined > as: Hash(Handshake Context + Certificate* + CertificateVerify*). > > For ServerFinished, this corresponds to the statement following the > formula that states, quote: > > the HMAC input can generally be implemented by a running hash, > i.e., just the handshake hash at this point. > > since Handshake Context for 1-RTT server is (as defined in section > 4.4): ClientHello … later of EncryptedExtensions/CertificateRequest. > > However, for ClientFinished, the two descriptions do not match, since > Handshake Context for 1RTT client is: ClientHello … ServerFinished. > > If we follow the way it is defined in the formula, then Certificate > and CertificateVerify needs to be applied to the hash after > ServerFinished, which is in discordance with the statement that it > could be implemented using a running hash.
Nope, it is a running hash: The server Finished includes the following messages, in this order: - ClientHello - HelloRetryRequest (if sent) - Clienthello (another, if HRR was sent) - ServerHello - EncryptedExtensions - CertificateRequest (if sent) - Certificate (server's) - CertificateVerify (server's) And this exactly corresponds to the send/receive order. The client finished includes, in this order: - ClientHello - HelloRetryRequest (if sent) - Clienthello (another, if HRR was sent) - ServerHello - EncryptedExtensions - CertificateRequest (if sent) - Certificate (server's) - CertificateVerify (server's) - Finished (server's) - Certificate (client's, if CR was sent). - CertificateVerify (client's, if non-empty client cert was sent) And this exactly corresponds to the send/receive order. One place to be careful of is client application keys: The hash used for those is taken immediately after ServerFinished, but the keys are only commissioned after ClientFinished (whereas server keys have the hash taken in the same time as those are commissioned in). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
