https://github.com/tlswg/tls13-spec/pull/912
On Fri, Mar 24, 2017 at 6:32 AM, Eric Rescorla <e...@rtfm.com> wrote: > > > On Fri, Mar 24, 2017 at 6:27 AM, Matt Caswell <fr...@baggins.org> wrote: > >> In draft-19 EndOfEarlyData was changed from an alert to a handshake >> message. Therefore I would have expected to see it included in the >> calculation of the ClientFinished (where early data is accepted). >> However section 4.4.4 defines the verify_data as follows: >> >> verify_data = >> HMAC(finished_key, >> Transcript-Hash(Handshake Context, >> Certificate*, CertificateVerify*)) >> >> The Handshake Context is given as ClientHello...ServerFinished. >> >> Was the EndOfEarlyData deliberately omitted from the ClientFinished >> calculcation? Or is this just a typo in section 4.4.4, i.e. should it >> say: >> >> verify_data = >> HMAC(finished_key, >> Transcript-Hash(Handshake Context, >> EndOfEarlyData*, Certificate*, >> CertificateVerify*)) >> >> I am currently looking into an interop failure between the OpenSSL and >> Haskell draft-19 implementations due to this. >> > > Thanks for catching this. It's a failure to update the draft completely > when > we made it a handshake message. Note that this contradicts S 7.1. > which lists it as the input to Derive-Secret. I think I'll just move that > graf to the Transcript-Hash section. > > https://tlswg.github.io/tls13-spec/#rfc.section.7.1 > > -Ekr > > >> >> Thanks >> >> Matt >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
