In draft-19 EndOfEarlyData was changed from an alert to a handshake
message. Therefore I would have expected to see it included in the
calculation of the ClientFinished (where early data is accepted).
However section 4.4.4 defines the verify_data as follows:
verify_data =
HMAC(finished_key,
Transcript-Hash(Handshake Context,
Certificate*, CertificateVerify*))
The Handshake Context is given as ClientHello...ServerFinished.
Was the EndOfEarlyData deliberately omitted from the ClientFinished
calculcation? Or is this just a typo in section 4.4.4, i.e. should it
say:
verify_data =
HMAC(finished_key,
Transcript-Hash(Handshake Context,
EndOfEarlyData*, Certificate*,
CertificateVerify*))
I am currently looking into an interop failure between the OpenSSL and
Haskell draft-19 implementations due to this.
Thanks
Matt
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
