Hi,
Recently I have started writing a TLS 1.3 implementation. While
working on it, I have noticed the following.
In section 4.4.3, the hash value used for building the HMAC is defined
as: Hash(Handshake Context + Certificate* + CertificateVerify*).
For ServerFinished, this corresponds to the statement following the
formula that states, quote:
the HMAC input can generally be implemented by a running hash,
i.e., just the handshake hash at this point.
since Handshake Context for 1-RTT server is (as defined in section
4.4): ClientHello … later of EncryptedExtensions/CertificateRequest.
However, for ClientFinished, the two descriptions do not match, since
Handshake Context for 1RTT client is: ClientHello … ServerFinished.
If we follow the way it is defined in the formula, then Certificate
and CertificateVerify needs to be applied to the hash after
ServerFinished, which is in discordance with the statement that it
could be implemented using a running hash.
Is this an error in the draft?
--
Kazuho Oku
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
