On Fri, Mar 24, 2017 at 6:27 AM, Matt Caswell <fr...@baggins.org> wrote:
> In draft-19 EndOfEarlyData was changed from an alert to a handshake > message. Therefore I would have expected to see it included in the > calculation of the ClientFinished (where early data is accepted). > However section 4.4.4 defines the verify_data as follows: > > verify_data = > HMAC(finished_key, > Transcript-Hash(Handshake Context, > Certificate*, CertificateVerify*)) > > The Handshake Context is given as ClientHello...ServerFinished. > > Was the EndOfEarlyData deliberately omitted from the ClientFinished > calculcation? Or is this just a typo in section 4.4.4, i.e. should it > say: > > verify_data = > HMAC(finished_key, > Transcript-Hash(Handshake Context, > EndOfEarlyData*, Certificate*, > CertificateVerify*)) > > I am currently looking into an interop failure between the OpenSSL and > Haskell draft-19 implementations due to this. > Thanks for catching this. It's a failure to update the draft completely when we made it a handshake message. Note that this contradicts S 7.1. which lists it as the input to Derive-Secret. I think I'll just move that graf to the Transcript-Hash section. https://tlswg.github.io/tls13-spec/#rfc.section.7.1 -Ekr > > Thanks > > Matt > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
